allow sudo for www user to run root shell script

cccc · 07-23-2005, 05:16 AM

hi

howto allow sudo for www user to run root shell script:

I put in /usr/local/etc/sudores:

---------------------------------------------------
%www ALL=(ALL) NOPASSWD: ALL

www ALL=(ALL) NOPASSWD: ALL
---------------------------------------------------

but still get:
# sudo -u www sh /usr/local/www/cgi-bin/ntop/ntop.sh start
touch: /var/log/ntop.access.log: Permission denied
ntopbsd#

I know all security aspects, but I really need it.

greetings
cccc

crash748 · 07-23-2005, 06:03 AM

Code:

touch: /var/log/ntop.access.log: Permission denied

because user 'www' does not have any rights to write in /var/log/ ?

cccc · 07-23-2005, 06:37 AM

thanks,

I changed the permissions and now I get:

# sudo -u www sh /usr/local/www/cgi-bin/ntop/ntop.sh start
ntopbsd#

but ntop won't start.

crash748 · 07-23-2005, 02:00 PM

Is "www" allowed to execute the commands in your script?
And is "www" member of the wheel group?
Only members of the group wheel are allowed tu use sudo.

cccc · 07-23-2005, 02:20 PM

yes,

with these commands it seems to work:

Code:

# sudo -u www sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh stop
# sudo -u www sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh start
#  ntopbsd# ps aux | grep ntop
root    74312  0.0  0.7  1484   800  p2  S+    9:20PM   0:00.01 grep ntop

but I cannot execute ntop.sh via browser using a perl script.

keefaz · 07-23-2005, 02:38 PM

Quote:

I put in /usr/local/etc/sudores:

---------------------------------------------------
%www ALL=(ALL) NOPASSWD: ALL

www ALL=(ALL) NOPASSWD: ALL
---------------------------------------------------

Sorry for asking, but are you aware that with these settings,
www user is able to run all system command as root
without password ?

cccc · 07-23-2005, 02:48 PM

NO,

I'd like to allow only execute /usr/local/www/cgi-bin/ntop/ntop.sh

but don't know how it should work, something like:

www ALL = NOPASSWD: /usr/local/www/cgi-bin/ntop.sh

knows someone the correct entry ?

keefaz · 07-23-2005, 02:54 PM

Yes, that would be the correct way
For a maximum security you could change ALL to your hostname
And make sure ntop.sh is not writtable or could not be edited

cccc · 07-23-2005, 03:08 PM

I have:

www localhost=NOPASSWD: /usr/local/www/cgi-bin/ntop.sh

but it won't work:

first time I was asked for a password, but I've put only "Enter",
because www user doesn't have a password.

# sudo -u www sudo /usr/local/www/cgi-bin/ntop.sh stop
www is not allowed to run sudo on bsd. This incident will be reported.

# sudo -u www sudo /usr/local/www/cgi-bin/ntop.sh start
www is not allowed to run sudo on bsd. This incident will be reported.

keefaz · 07-23-2005, 03:20 PM

is your hostname named 'bsd' ?

cccc · 07-23-2005, 03:27 PM

keefaz · 07-23-2005, 03:44 PM

So try :

Code:

www bsd = NOPASSWD: /usr/local/www/cgi-bin/ntop.sh

cccc · 07-23-2005, 03:48 PM

thanks,

now it works !