Why is exec() not containing the output?

Question

When i run the command echo /tmp/stderr{,.pub} | xargs -n 1 ln -sf /dev/stderr && yes | ssh-keygen -t ed25519 -C "" -N "" -f /tmp/stderr > /dev/null; rm /tmp/stderr{,.pub} on shell, it returned the private/public keypair as shown below (don't worry, the keypair isn't used):

blackbox /home/clock # echo /tmp/stderr{,.pub} | xargs -n 1 ln -sf /dev/stderr && yes | ssh-keygen -q -t ed25519 -C "" -N "" -f /tmp/stderr >/dev/null; rm /tmp/stderr{,.pub}
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACA1vZhl2jqtzhEqaqbKwYjLB1OIH8hMPtWB/PWhqeI/QQAAAIj4n5if+J+Y
nwAAAAtzc2gtZWQyNTUxOQAAACA1vZhl2jqtzhEqaqbKwYjLB1OIH8hMPtWB/PWhqeI/QQ
AAAEAtcSI3RLsOo0CXnat4Gs4JENGyDPbGojIT8GU0E+3vUDW9mGXaOq3OESpqpsrBiMsH
U4gfyEw+1YH89aGp4j9BAAAAAAECAwQF
-----END OPENSSH PRIVATE KEY-----
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDW9mGXaOq3OESpqpsrBiMsHU4gfyEw+1YH89aGp4j9B

But when i run the command thru exec() in PHP, it returned the command itself:

blackbox /home/clock # php -f key.php
Array
(
[0] => /tmp/stderr{,.pub} | xargs -n 1 ln -sf /dev/stderr && yes | ssh-keygen -t ed25519 -C "" -N "" -f /tmp/stderr > /dev/null; rm /tmp/stderr{,.pub}
)

The code i use:

<?php
$exec_output = '';
$exec_return = '';

// echo /tmp/stderr{,.pub} | xargs -n 1 ln -sf /dev/stderr && yes | ssh-keygen -t ed25519 -C "" -N "" -f /tmp/stderr > /dev/null; rm /tmp/stderr{,.pub}
$cmd = array('echo', escapeshellarg('/tmp/stderr{,.pub} |'), 'xargs -n 1 ln -sf /dev/stderr', escapeshellarg('&& yes |'), 'ssh-keygen -t ed25519', escapeshellarg('-C "" -N "" -f /tmp/stderr > /dev/null; rm /tmp/stderr{,.pub}'));

exec(implode(' ', $cmd), $exec_output, $exec_return);

print_r($exec_output);
?>

Why?

PS: I don't want to fill the generated keypair into a file, even not in /tmp.

• PHP: 7.3.13
• User: root

Answer 1

1. Shell path expansions won't work when passed as strings:

   echo '/tmp/stderr{,.pub}'

   instead you need to use unquoted ones

   echo /tmp/stderr{,.pub}

2. You cannot quote argument with the program option itself, it will be treated like one argument.

3. There is no user input here, so there is no need to escape anything.
4. exec only catches stdout and you are redirecting yours into /dev/null.

Altered $cmd array looks like this:

$cmd = array(
  'echo',
  '/tmp/stderr{,.pub}',
  '|',
  'xargs -n 1',
  'ln -sf',
  '/dev/stderr',
  '&&',
  'yes 2>/dev/null',
  '|',
  'ssh-keygen',
  '-t',
  'ed25519',
  '-C',
  '""',
  '-N',
  '""',
  '-f',
  '/tmp/stderr',
  '2>&1',
  '>/dev/null',
  ';',
  'rm',
  '/tmp/stderr{,.pub}'
);