LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices



Reply
 
Search this Thread
Old 07-23-2005, 06:16 AM   #1
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,618

Rep: Reputation: 48
allow sudo for www user to run root shell script


hi

howto allow sudo for www user to run root shell script:

I put in /usr/local/etc/sudores:

---------------------------------------------------
%www ALL=(ALL) NOPASSWD: ALL

www ALL=(ALL) NOPASSWD: ALL
---------------------------------------------------

but still get:
# sudo -u www sh /usr/local/www/cgi-bin/ntop/ntop.sh start
touch: /var/log/ntop.access.log: Permission denied
ntopbsd#


I know all security aspects, but I really need it.

greetings
cccc

Last edited by cccc; 07-23-2005 at 07:15 AM.
 
Old 07-23-2005, 07:03 AM   #2
crash748
LQ Newbie
 
Registered: Aug 2003
Posts: 18

Rep: Reputation: 0
Code:
touch: /var/log/ntop.access.log: Permission denied
because user 'www' does not have any rights to write in /var/log/ ?
 
Old 07-23-2005, 07:37 AM   #3
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,618

Original Poster
Rep: Reputation: 48
thanks,

I changed the permissions and now I get:

# sudo -u www sh /usr/local/www/cgi-bin/ntop/ntop.sh start
ntopbsd#

but ntop won't start.
 
Old 07-23-2005, 03:00 PM   #4
crash748
LQ Newbie
 
Registered: Aug 2003
Posts: 18

Rep: Reputation: 0
Is "www" allowed to execute the commands in your script?
And is "www" member of the wheel group?
Only members of the group wheel are allowed tu use sudo.
 
Old 07-23-2005, 03:20 PM   #5
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,618

Original Poster
Rep: Reputation: 48
yes,

with these commands it seems to work:
Code:
# sudo -u www sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh stop
# sudo -u www sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh start
#  ntopbsd# ps aux | grep ntop
root    74312  0.0  0.7  1484   800  p2  S+    9:20PM   0:00.01 grep ntop
but I cannot execute ntop.sh via browser using a perl script.

Last edited by cccc; 07-23-2005 at 03:30 PM.
 
Old 07-23-2005, 03:38 PM   #6
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
Quote:
I put in /usr/local/etc/sudores:

---------------------------------------------------
%www ALL=(ALL) NOPASSWD: ALL

www ALL=(ALL) NOPASSWD: ALL
---------------------------------------------------
Sorry for asking, but are you aware that with these settings,
www user is able to run all system command as root
without password ?
 
Old 07-23-2005, 03:48 PM   #7
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,618

Original Poster
Rep: Reputation: 48
NO,

I'd like to allow only execute /usr/local/www/cgi-bin/ntop/ntop.sh

but don't know how it should work, something like:

www ALL = NOPASSWD: /usr/local/www/cgi-bin/ntop.sh

knows someone the correct entry ?
 
Old 07-23-2005, 03:54 PM   #8
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
Yes, that would be the correct way
For a maximum security you could change ALL to your hostname
And make sure ntop.sh is not writtable or could not be edited
 
Old 07-23-2005, 04:08 PM   #9
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,618

Original Poster
Rep: Reputation: 48
I have:

www localhost=NOPASSWD: /usr/local/www/cgi-bin/ntop.sh

but it won't work:

first time I was asked for a password, but I've put only "Enter",
because www user doesn't have a password.

# sudo -u www sudo /usr/local/www/cgi-bin/ntop.sh stop
www is not allowed to run sudo on bsd. This incident will be reported.

# sudo -u www sudo /usr/local/www/cgi-bin/ntop.sh start
www is not allowed to run sudo on bsd. This incident will be reported.

Last edited by cccc; 07-23-2005 at 04:26 PM.
 
Old 07-23-2005, 04:20 PM   #10
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
is your hostname named 'bsd' ?
 
Old 07-23-2005, 04:27 PM   #11
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,618

Original Poster
Rep: Reputation: 48
yep
 
Old 07-23-2005, 04:44 PM   #12
keefaz
Senior Member
 
Registered: Mar 2004
Distribution: Slackware
Posts: 4,617

Rep: Reputation: 136Reputation: 136
So try :
Code:
www bsd = NOPASSWD: /usr/local/www/cgi-bin/ntop.sh
 
Old 07-23-2005, 04:48 PM   #13
cccc
Senior Member
 
Registered: Sep 2003
Distribution: Debian Squeeze / Wheezy
Posts: 1,618

Original Poster
Rep: Reputation: 48
thanks,

now it works !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Run shell script as root automatically elempoimen Linux - Software 8 06-20-2010 02:24 AM
Running a script as root with sudo without entering the user password kloss Linux - General 8 10-10-2005 12:39 PM
Shell Script to check root user? kushalkoolwal Programming 4 09-22-2005 01:15 AM
how do I make sure that the user that is going to run the script is a root user??? nikold01 Linux - General 3 09-10-2004 08:54 AM
Need to run shell script as root kaloyer Programming 4 06-27-2004 10:01 AM


All times are GMT -5. The time now is 01:49 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration