xl97
Posts: 126
Joined: Thu Jan 12, 2017 3:34 pm

Re: PHP & Serial comm with RPi?

Sun Nov 11, 2018 2:32 pm

I agree.. if I -can- make it more secure.. Id' like to.

At that time.. I feel I had tried everything I could.. (and even somethings I didnt quite/fully understand).. and nothing worked. I could NOT get a read from the serial port to save my life.. writing was never an issue.. but reading was. I was even at the point of trying to re-write my front end to try some PHP Serial class floating around. PHP/DIO approach..etc.. nothing worked. except that line.

To respond to the comment of:
"You only have to add "www-data" to the "dialout" group, reboot and you should be fine without any sudo"

I thought that is what I did her during my set-up/install steps:

Code: Select all

# sudo usermod -a -G dialout www-data
# sudo reboot
After running the suggest line of: "sudo nano /etc/group"

I see this:

Code: Select all

dialout:x:20:pi,www-data
So I'm assuming , that YES, user www-data is part of the dialout group.....yes?

But I could never get a READ, until I still added the line above.


Since that has been there since the beginning. I am concerned that editing the 'sudoers' file will result in things breaking again.

Code: Select all

sudo nano /etc/sudoers


When I view the file itself.. I see this: (looks like a dup entry at the end?)

Code: Select all

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:$

# Host alias specification

# User alias specification


#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:$

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
www-data    ALL=NOPASSWD: ALL
www-data    ALL=NOPASSWD: ALL

So if www-data is already part of the dialout group.... that what is my issue? (as I understand it.. having that line in there,,.... I should need to have the run this: """echo "www-data ALL=NOPASSWD: ALL" | sudo tee -a /etc/sudoers"
....correct?


So in theory I shoudl be able to remove both of those lines in the sudoers file here:

Code: Select all

#includedir /etc/sudoers.d
www-data    ALL=NOPASSWD: ALL
www-data    ALL=NOPASSWD: ALL

and things 'should still work'... but they never did.

(hence all the searching for this line to add permission to everything.)

bzt
Posts: 326
Joined: Sat Oct 14, 2017 9:57 pm

Re: PHP & Serial comm with RPi?

Sun Nov 11, 2018 4:40 pm

Hi xl97,
xl97 wrote: So I'm assuming , that YES, user www-data is part of the dialout group.....yes?
Yes, everything is ok!
xl97 wrote: So if www-data is already part of the dialout group.... that what is my issue? (as I understand it.. having that line in there,,.... I should need to have the run this: """echo "www-data ALL=NOPASSWD: ALL" | sudo tee -a /etc/sudoers"
....correct?
Well, if your www-data is in the group "dialout", then you should be able to read and write the serial device file from your script.
About the "tee" line: that appends a sudoers rule. Probably you have executed it twice that's the reason for the duplicated line. You can remove the second one safely (but probably you can remove both if you follow the steps below).

What bothers me, sudo has nothing to do with file permissions. It's very strange that if you allow www-data to EXECUTE commands with root privileges, that also allows OPENING files. I suspect a coincidence here, there must be something else in the background. I'm suspecting that your issue is something like: you can open and read/write serial device from PHP just fine, but it's not set up properly (baud,data bits etc.), therefore it couldn't receive anything, so the FIFO is empty, and therefore you read nothing from the device. Something like that (but I'm just making a well educated guess here). To make sure, try error_reporting(E_ALL); before the open, and you'll see error messages in the php.log for sure if you can't open it. The lack of messages means everything is ok, no need for looking for a Serial class or rewriting your code.

If I were you, I'd give another try to /etc/rc.local. You should call stty from there (that script is executed as root, so no need for sudo), and remove the exec() from your script. This must work if you use full path ("/usr/bin/stty", because PATH environment variable may not be initialized which could have caused your problem). But if rc.local is still not working for you (it really should), you can do the following: I'd suggest to specify the command that you run with sudo (the second "ALL" after "NOPASSWD:" tells sudo what commands are allowed, in this case everything). So in your case, you want to limit it to stty, so this should do the trick:

Code: Select all

www-data ALL=NOPASSWD: /usr/bin/stty
This will only allow the webserver to run "stty" as root, and nothing else. The only downside is, you have to call stty from PHP with full path, like

Code: Select all

exec("sudo /usr/bin/stty -F ...");
Hope this helps. And just for the records, to find out the full path of a command, you can use the "whereis" command, like:

Code: Select all

$ whereis stty
stty: /usr/bin/stty /usr/share/man/man2/stty.2.gz /usr/share/man/man1/stty.1p.gz /usr/share/man/man1/stty.1.gz
$
This will list every occurance on your system (including documentation too), the executables are the ones in the directories "/bin", "/sbin", "/usr/bin", "/usr/sbin". If you want to know more about why are there 4 "bin" folders, you should google "File Hierarchy Standard".

Cheers,
bzt

Return to “Other programming languages”