Search code examples
phpshellcommandshell-execbackticks

Why does PHP backticks and SSH not return identical values?

When I run ps cax with my ssh command line, I get the following:

user@dqeb ~ $ ps cax
PID TTY      STAT   TIME COMMAND
3277 ?        Ss    12:51 httpd
6797 ?        S      1:45 httpd
7190 ?        Ss     0:00 gpopd.pl
7291 ?        S      0:02 httpd
7303 ?        S      0:05 httpd
7309 ?        S      0:03 httpd
7336 ?        S      0:02 httpd
7361 ?        S      0:03 httpd
7419 ?        S      0:02 httpd
7426 ?        S      0:02 httpd
7427 ?        R      0:03 httpd
7440 ?        S      0:02 httpd
7457 ?        S      0:01 httpd
7468 ?        S      0:01 httpd
7504 ?        S      0:02 httpd
7743 ?        S      0:00 wrapper
7744 ?        Sl     0:00 java
7812 ?        S      0:00 qmail-local
7843 ?        S      0:00 qmail-local
7848 pts/3    R+     0:00 ps
8769 ?        Sl     0:00 sshd
8775 pts/5    Ss+    0:00 bash
9159 pts/2    S      0:00 su
9160 pts/2    S+     0:00 bash
9241 pts/5    S      0:00 gimap.pl
30334 ?        S      0:00 imap
30335 ?        S      0:00 imap
30340 ?        S      0:00 imap
30582 ?        Sl     0:00 sshd
30589 pts/3    Ss     0:00 bash

However, when I run the following PHP code:

$newline = chr(10);
$out = `ps cax`;
$out = str_replace($newline, '<br>', $out);
echo $out;

I get

7519 ? R 0:00 ps
15886 ? S 0:00 httpd
15890 ? S 0:00 httpd
15891 ? S 0:00 httpd
15917 ? S 0:00 httpd
15920 ? S 0:00 httpd
15930 ? S 0:00 httpd
15932 ? S 0:00 httpd
15933 ? S 0:00 httpd
16124 ? S 0:00 httpd
16125 ? S 0:00 httpd
16126 ? S 0:00 httpd
16128 ? S 0:00 httpd
16129 ? S 0:00 httpd
16130 ? S 0:00 httpd
16131 ? S 0:00 httpd
16134 ? S 0:00 httpd
16137 ? S 0:00 httpd
16138 ? S 0:00 httpd
16448 ? S 0:00 httpd

..and it goes on like that for quite long.

Why do I not see the same processes when I run the same command on the same server? I expected them to be identical.

Solution

  • When you run a PHP script via web browser it executes as www user, which is a less privileged one. You can only see those process owned by www. That's why you see only httpd that is apache child process. When you run the same script via shell it runs as the corresponding user (root or the username you have used to ssh). That user might have more privilege than www user. So you can see almost all process running in the system.

    If you want to get same result when you execute script via browser you need to escalate privilege of www user, which is a security threat. Anyone browsing your website will get the same privilege and they can easily hack your server. So I won't recommend it.