LinuxQuestions.org - Another sudoers question

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - Another sudoers question (https://www.linuxquestions.org/questions/linux-newbie-8/another-sudoers-question-821503/)

Another sudoers question

I know that there have been many sudoers questions on forums and here's another one. I'm trying to write a PHP script that creates a file and changes back ownership to the user of the workstation. The problem I am having is that I can't change ownership from apache to myself. I tried running a system command thinking that because the apache server was the owner of the file, one should be able to change ownership of the file it created. Wrong. A coworker told me that you still needed to logon as root. I didn't want the end user of this script to have to login as root. The process should be a black box for them. I then tried to alter the sudoers file to allow apache to use chown. This didn't work so I tried to allow apache to do everything ("apache ALL = NOPASSWD: ALL"). That still didn't work. How do I allow apache access to be able to change ownership of a file it created in a PHP script to the user of the workstation? Do I need commands in the sudoers file in addition to the aforementioned one? Here is a simple php script that describes what I am doing:

<?php

shell_exec("touch test.txt;chown duffyg test.txt");

?>

After editing the sudoers file, I tried the command 'sudo -u chown duffyg test.txt' in place of the command you see in the script.

Thanks

I suspect the syntax of the line you added into /etc/sudoers is wrong.

It should look like:

Code:

apache ALL=(ALL) NOPASSWD: ALL

With this line; apache should be able to change ownership of the file it created. Remember changing ownership to another user is a super user/administrative privelege; since apache does not have administrative rights over the duffyg account (taken from your post).

The command you should use (once the sudoers file is properly edited) is:

Code:

$sudo chown duffyg:duffyg test.txt

Thanks for the help Yas.
This did not work. Apache still owns the file after I changed the sudoers file and ran the script...

What distro/version are you using?

Have you tried to run the command in my previous post from the terminal (that is not via your script)?

Also, post the contents of your /etc/sudoers

Quote:

Originally Posted by alli_yas (Post 4042674)

What distro/version are you using?

RHEL5

Quote:

Originally Posted by alli_yas (Post 4042674)

Have you tried to run the command in my previous post from the terminal (that is not via your script)?

Yes. I couldn't get it to work in the command window because duffyg is not a valid group. I want it to be duffyg:users in the end. Trying sudo chown duffyg:users test.txt logged on as myself did not work because apache has access to the file, I don't. Or, did you mean to run it as apache from the terminal. If that's what you meant, how do I find the password for the apache server.

Quote:

Originally Posted by alli_yas (Post 4042674)

Also, post the contents of your /etc/sudoers

See attached. Here is the script:

PHP Code:




<?php 
 
shell_exec("touch test.txt"); 
shell_exec("sudo chown duffyg:users test.txt"); 
 
?>

1. check what user apache is running as: it may be http or www. Run top or check the /etc/passwd file
2. amend that line in sudoers to only allow the chown cmd. 'ALL' is extremely dangerous if anyone manages to exploit your apache.
3. If this only need run on this one machine, don't specify ALL

eg

Code:

apache <your_system>=(root) NOPASSWD /bin/chown

root is the default user to RunAs (usually) so you could skip that. Also, always specify the full path, for security.
Incidentally, your sudoers file has a lot of ALL users run ALL cmds eveywhere as anyone... are you sure you want that??