HPE Community
Operating System - Linux
1825987 Members
3215 Online
109690 Solutions
New Discussion

Re: allow sudo for www user to run root shell script

 
SOLVED
Go to solution
'chris'
Super Advisor

‎07-22-2005 10:02 PM

‎07-22-2005 10:02 PM

allow sudo for www user to run root shell script

hi

howto allow sudo for www user to run root shell script:

I put in /usr/local/etc/sudores:
---------------------------------------------------
%www ALL=(ALL) NOPASSWD: ALL
www ALL=(root) ALL,!/bin/sh

---------------------------------------------------

but still get:
# sudo -u www sh /usr/local/www/cgi-bin/ntop/ntop.sh start
touch: /var/log/ntop.access.log: Permission denied
ntopbsd#


I know all security aspects, but I really need it.

kind regards
chris
0 Kudos
Reply
26 REPLIES 26
Stuart Browne
Honored Contributor

‎07-22-2005 10:58 PM

‎07-22-2005 10:58 PM

Solution

Re: allow sudo for www user to run root shell script

'sudo -u www' will attempt to run the script as the 'www' user.

Your sudoers say:

Any user in the 'www' group can run any command without any password.

The user 'www' can run any command (except /bin/sh) as 'root' only.

So that's not going to work.

As the 'www' user, you just want to issue 'sudo /usr/local/www/cgi-bin/ntop/ntop.sh start'.
One long-haired git at your service...
Reply
'chris'
Super Advisor

‎07-22-2005 11:31 PM

‎07-22-2005 11:31 PM

Re: allow sudo for www user to run root shell script

thanks,

but I cannot do:

# su www
This account is currently not available.

to try it.

I'd like to execute this root shell script via browser, using a perl script:
----------------------------------------------------------------------------------
#!/usr/bin/perl -w

use CGI::Carp qw(fatalsToBrowser);
use CGI;
my $query = new CGI;

# write the log
BEGIN
{
use CGI::Carp qw(carpout);
my $errorlog = "/var/tmp/errorlog.txt";
open(LOG, ">$errorlog") or die("Unable to open $errorlog: $!\n");
print LOG "Errors:\n";
carpout(*LOG);
}

print $query->header;
print "\n";
print "\n";
print "ntop startup script\n";
print "\n";
print "\n";
print "\n";
print "
";
print "


";
print "


";

'sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh stop' or die "cannot stop ntop: $!";
sleep(8);
$cc = 'sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh start' or die "cannot start ntop: $!";
print "Status: ",$cc,"\n";

print "";
print "";

exit($cc);
----------------------------------------------------------------------------------

but it doesn't work
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-22-2005 11:36 PM

‎07-22-2005 11:36 PM

Re: allow sudo for www user to run root shell script

and the user/group that your apache runs CGI's as? www:www ?
One long-haired git at your service...
Reply
Stuart Browne
Honored Contributor

‎07-22-2005 11:41 PM

‎07-22-2005 11:41 PM

Re: allow sudo for www user to run root shell script

Oh incidentally, as you've got both the group modifier and the user modifier in there, it will take the 'user' first, and thus prompt for a password, rather than take the 'group' (of which doesn't).
One long-haired git at your service...
Reply
'chris'
Super Advisor

‎07-22-2005 11:43 PM

‎07-22-2005 11:43 PM

Re: allow sudo for www user to run root shell script

I think

user: www
group: www

how can I check them to be sure ?
0 Kudos
Reply
'chris'
Super Advisor

‎07-22-2005 11:54 PM

‎07-22-2005 11:54 PM

Re: allow sudo for www user to run root shell script

I changed to only:

%www ALL=(ALL) NOPASSWD: ALL

but still doesn't work.
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-23-2005 12:11 AM

‎07-23-2005 12:11 AM

Re: allow sudo for www user to run root shell script

Those sudo settings work fine here as a CGI.

What is your apache 'error_log' saying?
One long-haired git at your service...
Reply
'chris'
Super Advisor

‎07-23-2005 01:15 AM

‎07-23-2005 01:15 AM

Re: allow sudo for www user to run root shell script

[Sat Jul 23 13:51:33 2005] [error] [client 192.168.0.105] (13)Permission denied: exec of '/usr/local/www/cgi-bin/ntop/ntop4.cgi' failed
[Sat Jul 23 13:51:33 2005] [error] [client 192.168.0.105] Premature end of script headers: ntop4.cgi
0 Kudos
Reply
'chris'
Super Advisor

‎07-23-2005 01:30 AM

‎07-23-2005 01:30 AM

Re: allow sudo for www user to run root shell script

sorry this was an old entry
I don't have any errors or entries in apache error log now, but still doesn't work.
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-23-2005 01:33 AM

‎07-23-2005 01:33 AM

Re: allow sudo for www user to run root shell script

From the command line, as root, does the CGI execute without issues, and output what's expected?
One long-haired git at your service...
Reply
'chris'
Super Advisor

‎07-23-2005 01:40 AM

‎07-23-2005 01:40 AM

Re: allow sudo for www user to run root shell script

from command line as root:
--------------------------------------------------------------------
# perl ntop4.cgi
Content-Type: text/html; charset=ISO-8859-1



ntop startup script





Status: sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh start
bsd#
--------------------------------------------------------------------

but ntop doesn't start


0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-23-2005 01:44 AM

‎07-23-2005 01:44 AM

Re: allow sudo for www user to run root shell script

*nod* yup, thought so.

If you look at your output, you can see the exact problem.

Around your sudo lines, you've got forward-single-quotes ('). You need back-tick's (`). Wrong character..
One long-haired git at your service...
Reply
'chris'
Super Advisor

‎07-23-2005 02:00 AM

‎07-23-2005 02:00 AM

Re: allow sudo for www user to run root shell script

I don't understand what you mean, my sudoers looks:

# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Runas alias specification

# User privilege specification
root ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now

%www ALL=(ALL) NOPASSWD: ALL
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-23-2005 02:04 AM

‎07-23-2005 02:04 AM

Re: allow sudo for www user to run root shell script

In your perl routine, you've got:

'sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh stop' or die "cannot stop ntop: $!";
sleep(8);
$cc = 'sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh start' or die "cannot start ntop: $!";

These lines use the forward single quote ('). As you aren't using the system() call, it appears as if you want to subshell out, which means you should be using the back tick (`), not quote (').
One long-haired git at your service...
Reply
'chris'
Super Advisor

‎07-23-2005 02:13 AM

‎07-23-2005 02:13 AM

Re: allow sudo for www user to run root shell script

how should I change that ?

can you post pls the correct syntax ?
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-23-2005 02:24 AM

‎07-23-2005 02:24 AM

Re: allow sudo for www user to run root shell script

You have these lines:

'sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh stop' or die "cannot stop ntop: $!";
sleep(8);
$cc = 'sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh start' or die "cannot start ntop: $!";

You need to change them to either:

`sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh stop` or die "cannot stop ntop: $!";
sleep(8);
$cc = `sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh start` or die "cannot start ntop: $!";

or use some form of system() and less control over it's output...
One long-haired git at your service...
Reply
'chris'
Super Advisor

‎07-23-2005 02:38 AM

‎07-23-2005 02:38 AM

Re: allow sudo for www user to run root shell script

thanks,

I changed but now I get this error from the command line:

# perl ntop4.cgi
Content-Type: text/html; charset=ISO-8859-1



ntop startup script





Software error:


cannot stop ntop: No such file or directory at ntop4.cgi line 32.


For help, please send mail to this site's webmaster, giving this error message
and the time and date of the error.


0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-23-2005 03:07 AM

‎07-23-2005 03:07 AM

Re: allow sudo for www user to run root shell script

Verify that this is the correct full path:

/usr/local/www/cgi-bin/ntop/ntop.sh

If it is, then change it from:

sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh

to just:

sudo /usr/local/www/cgi-bin/ntop/ntop.sh

ensuring that /usr/local/www/cgi-bin/ntop/ntop.sh is executable (chmod +x /usr/local/www/cgi-bin/ntop/ntop.sh).
One long-haired git at your service...
Reply
'chris'
Super Advisor

‎07-23-2005 03:21 AM

‎07-23-2005 03:21 AM

Re: allow sudo for www user to run root shell script

I did these changes, but still get this error:

# perl ntop4.cgi
Content-Type: text/html; charset=ISO-8859-1



ntop startup script





Software error:


cannot stop ntop: No such file or directory at ntop4.cgi line 32.


For help, please send mail to this site's webmaster, giving this error message
and the time and date of the error.



I don't really understand the path is correct.
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-23-2005 03:26 AM

‎07-23-2005 03:26 AM

Re: allow sudo for www user to run root shell script

So you verified the path of that 'ntop.sh' script?

Ok, try fully-pathing 'sudo' too. During CGI execution, it's not uncommon to run in a reduced path environment.
One long-haired git at your service...
Reply
'chris'
Super Advisor

‎07-23-2005 04:43 AM

‎07-23-2005 04:43 AM

Re: allow sudo for www user to run root shell script

'ntop.sh' script is in the same cgi-bin directory like ntop4.cgi:

/usr/local/www/cgi-bin/ntop/

I never tried fully-pathing 'sudo'.

how it should work ?
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎07-23-2005 12:07 PM

‎07-23-2005 12:07 PM

Re: allow sudo for www user to run root shell script

Within the script, instead of using just:

`sudo /usr/local/www/cgi-bin/ntop/ntop.sh start` .....

use:

`/usr/bin/sudo /usr/local/www/cgi-bin/ntop/ntop.sh start` ....

One long-haired git at your service...
Reply
'chris'
Super Advisor

‎07-23-2005 12:15 PM

‎07-23-2005 12:15 PM

Re: allow sudo for www user to run root shell script

I tried, but still doesn't work !
0 Kudos
Reply
'chris'
Super Advisor

‎07-23-2005 12:25 PM

‎07-23-2005 12:25 PM

Re: allow sudo for www user to run root shell script

I solved this problem:

it needs following entry in sudoers

www bsd = NOPASSWD: /usr/local/www/cgi-bin/ntop/ntop.sh

and

this perl code does his job very well:
--------------------------------------------------------------------------------------------------------
system `/usr/local/www/cgi-bin/ntop/ntop.sh stop` or die "cannot stop ntop: $!";
sleep(8);
$cc = `sudo /usr/local/www/cgi-bin/ntop/ntop.sh start` or die "cannot start ntop: $!";
print "status: ",$cc,"\n";
--------------------------------------------------------------------------------------------------------

I can stop & start ntop via browser !

Now I'm going to take a cold beer.

greetings
chris
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.