Shutting Down the Server from a Webpage

Being able to conveniently shutdown our server when we are not using it is very handy. The most obvious way of doing this is to SSH into the server, and then issue the ‘shutdown –Ph now‘ command. However, this can be a bit tedious, especially if you are trying to do it from a phone (Termius). Wouldn’t it be much easier if we had a button on a webpage which could do this immediately for us?

For this, you are going to need to set the privileges of the user account which the web server uses, and then create 3 files, 1 of which will be deleted as soon as we are finished with it: one for encrypting the password (this will quickly be deleted), one for saving the password and finally the website itself with the form to shutdown the server.

There is some basic HTML and PHP code involved in this exercise. While I have tried to keep the code as minimal as possible, it would be extremely useful to get familiar with both languages. There are many sources on the web for learning either for free, but for PHP in particular, I would strongly recommend Code Academy. You will be surprised at how quickly you pick up this language, and the power it brings to your webpages.

Providing Elevated User Rights

When the Apache web server was installed, the installer set up a new user account (www-data) which is used to run the web server. This is for security purposes, so that the user which is displaying the web pages, has limited privileges on your server. If an attacker managed to run commands on your server through your web pages (command injection), then the damage they can do is limited.

Ordinarily, shutting down your server is something you only want privileged accounts to do, and thus it requires sudo privileges when run over SSH. While one option would be to give the www-data user sudo privileges, that opens the way for all kinds of potential problems. A hacker would now have root privileges over your server!

From a security perspective, if you are going to give an account privileged rights, you should do so on a very granular level. We covered giving a user sudo privileges previously, but that is more permissions than we want to give the user running our web server pages, due to the risks outlined above. We are going to give the web server user rights to run one single elevated command – the shutdown command.

To edit the sudo group to add the user, run the command:

At the bottom of the file, add the line,

then save and exit (Ctrl+ O, Ctrl + X).

It is good practice to use the full path to the command you want to run, in this case the shutdown command. To confirm the path to the command on your system, use the ‘which‘ command (which shutdown).

Your web user now has the necessary privileges to shutdown your server. Let’s move on to generating the password file.

Generating the Encrypted Password

Firstly, it is important to say that there is nothing stopping you from simply having a button or image on your web page which, when pressed, will shut down your server. Seems a little dangerous though, and prone to mis-clicking (is that a word?). Also, there would be no control over who could trigger it and anyone on your network who can see the page could click it while you are busy watching a movie or downloading a torrent. So having it password protected is a good minimum security precaution to take.

Secure coding principles dictate that passwords should never be hard coded into your web pages, so we are going to create a file which contains our password, have the web page read that file, and if the password which a user enters on the web page matches the one in the file, then the action (shutting down the server) will be performed.
Secure coding principles also dictate that you never store passwords in plain text, so we are going to hash our password.

Hashing is a form of encryption often used for storing passwords. Hashing is unique though in that it is a one way encryption. You cannot take a hashed value and ‘de-hash’ it to get the original password. Hashes also take input of any length and always produce a fixed length output. So whether your password is 12 or 112 characters long, the result will always be a 40 character string of text.

We are going to use SHA1 (Secure Hashing Algorithm) for our page. This is a strong hashing algorithm which is more secure than older algorithms such as MD5, which have been shown to be vulnerable to attacks known as collisions.

To get the hash of our password, which will be saved to the server, we are going to write a very short PHP script. Over an SSH connection, go to your web directory, and create a file called hash.php.

then enter the following:

In this script, your first line tells Apache that it is a PHP script. In the second, you are printing (echoing) the hash of your password to the web page. The last line simply closes the PHP script.

With a web browser, browse to the web site and copy the text printed on the screen. Save this as you are going to need it in the next step.

IMPORTANT: once you have made a copy of the hash, or used it in the password file in the next step, this page should be deleted. As the password is saved in plain text in it, it is a security risk. To delete it, use the rm command:

The Password File

The password file is going to be saved outside of the web directories, so create a new directory under /var/www/files, move into it, and create a file called shutdown.php:

enter the following:

Here we are declaring a variable ($shutdown_pswd) and giving it the value of the SHA1 hash we copied earlier. Put the hash value for your password into the script.

Set the permissions so that the web server user (www-data) can read it, and you are ready to move on to your web page.

The Shutdown Form

On the page we are going to display, there will be a text box and a button to submit the answer. This button will trigger the PHP shutdown script, if the password is correct. This button has a name (ShutdownButton in the example below), which is used for interacting with the PHP code in the next step. The code for the button also allows you to give it a visible name on the page, ‘Shutdown’ in the example below. In PHP terminology, this button begins in an unset state, i.e. it has not yet been clicked or ‘set’. Each time the page loads, the server checks if this button has been set.

When you click the button, the page reloads. As the button is now set, the server hashes the password which has been provided using the SHA1 algorithm. If this hash matches the hash value which is saved on file, then the server runs the shutdown command. If the hashes don’t match, i.e. the password is not correct, it does nothing.

All of the text below will go on the same page. Just be sure to put the PHP script after the code for your form.

Reload the address of your page again and you should see the form. If you want to test it without actually shutting down the server, you could comment out the line which gives the shutdown command, i.e. //exec(‘sudo /sbin/shutdown’). To comment out a line, put two forward slashes at the start (//…). If you now enter the correct password, you should the message ‘Shutdown command sent’ on the page once submitted.

Leave a comment