LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 07-22-2010, 09:41 AM   #1
duffsterlp
LQ Newbie
 
Registered: Jul 2010
Posts: 8

Rep: Reputation: 0
Another sudoers question


I know that there have been many sudoers questions on forums and here's another one. I'm trying to write a PHP script that creates a file and changes back ownership to the user of the workstation. The problem I am having is that I can't change ownership from apache to myself. I tried running a system command thinking that because the apache server was the owner of the file, one should be able to change ownership of the file it created. Wrong. A coworker told me that you still needed to logon as root. I didn't want the end user of this script to have to login as root. The process should be a black box for them. I then tried to alter the sudoers file to allow apache to use chown. This didn't work so I tried to allow apache to do everything ("apache ALL = NOPASSWD: ALL"). That still didn't work. How do I allow apache access to be able to change ownership of a file it created in a PHP script to the user of the workstation? Do I need commands in the sudoers file in addition to the aforementioned one? Here is a simple php script that describes what I am doing:

<?php

shell_exec("touch test.txt;chown duffyg test.txt");

?>

After editing the sudoers file, I tried the command 'sudo -u chown duffyg test.txt' in place of the command you see in the script.

Thanks
 
Old 07-22-2010, 10:30 AM   #2
alli_yas
Member
 
Registered: Apr 2010
Location: Johannesburg
Distribution: Fedora 14, RHEL 5.5, CentOS 5.5, Ubuntu 10.04
Posts: 559

Rep: Reputation: 91
I suspect the syntax of the line you added into /etc/sudoers is wrong.

It should look like:

Code:
apache ALL=(ALL)       NOPASSWD: ALL
With this line; apache should be able to change ownership of the file it created. Remember changing ownership to another user is a super user/administrative privelege; since apache does not have administrative rights over the duffyg account (taken from your post).

The command you should use (once the sudoers file is properly edited) is:

Code:
$sudo chown duffyg:duffyg test.txt
 
Old 07-22-2010, 12:21 PM   #3
duffsterlp
LQ Newbie
 
Registered: Jul 2010
Posts: 8

Original Poster
Rep: Reputation: 0
Thanks for the help Yas.
This did not work. Apache still owns the file after I changed the sudoers file and ran the script...
 
Old 07-23-2010, 01:39 AM   #4
alli_yas
Member
 
Registered: Apr 2010
Location: Johannesburg
Distribution: Fedora 14, RHEL 5.5, CentOS 5.5, Ubuntu 10.04
Posts: 559

Rep: Reputation: 91
What distro/version are you using?

Have you tried to run the command in my previous post from the terminal (that is not via your script)?

Also, post the contents of your /etc/sudoers
 
Old 07-23-2010, 08:00 AM   #5
duffsterlp
LQ Newbie
 
Registered: Jul 2010
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by alli_yas View Post
What distro/version are you using?
RHEL5

Quote:
Originally Posted by alli_yas View Post
Have you tried to run the command in my previous post from the terminal (that is not via your script)?
Yes. I couldn't get it to work in the command window because duffyg is not a valid group. I want it to be duffyg:users in the end. Trying sudo chown duffyg:users test.txt logged on as myself did not work because apache has access to the file, I don't. Or, did you mean to run it as apache from the terminal. If that's what you meant, how do I find the password for the apache server.

Quote:
Originally Posted by alli_yas View Post
Also, post the contents of your /etc/sudoers
See attached. Here is the script:

PHP Code:
<?php

shell_exec
("touch test.txt");
shell_exec("sudo chown duffyg:users test.txt");

?>
Attached Files
File Type: txt sudoers.txt (3.3 KB, 3 views)
 
Old 07-25-2010, 03:21 AM   #6
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,261

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
1. check what user apache is running as: it may be http or www. Run top or check the /etc/passwd file
2. amend that line in sudoers to only allow the chown cmd. 'ALL' is extremely dangerous if anyone manages to exploit your apache.
3. If this only need run on this one machine, don't specify ALL

eg

Code:
apache <your_system>=(root) NOPASSWD /bin/chown
root is the default user to RunAs (usually) so you could skip that. Also, always specify the full path, for security.
Incidentally, your sudoers file has a lot of ALL users run ALL cmds eveywhere as anyone... are you sure you want that??
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sudoers - root question armandino Linux - General 4 03-05-2009 06:57 AM
basic sudoers question... aquaboot Ubuntu 1 04-25-2007 12:15 AM
A question about the sudoers file... hkl8324 Linux - Newbie 1 01-29-2006 06:08 AM
sudoers question clickster Linux - Security 1 11-24-2005 04:47 AM
I deleted /etc/sudoers and creates a new file call sudoers but now it doesnt for visu abefroman Linux - Software 1 11-10-2005 05:03 PM


All times are GMT -5. The time now is 06:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration