LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-20-2011, 05:27 PM   #1
metaf5
LQ Newbie
 
Registered: Aug 2011
Distribution: I'm kind of fond of Crunchbang...
Posts: 19

Rep: Reputation: Disabled
How to edit sudoers to let www-data run my scripts?


So, I have some scripts set up to let PHP running as user www-data administer BIND9, which in this case means copying a backup of a zone file, appending a line to the zone file, and editing the serial number in the zone file. The zone files are owned by root, in group bind, bind is a group with no users and only has read permission on these files. Rather than put www-data in bind, and give the group write access to the files, I'm editing /etc/sudoers to allow www-data to sudo things.

At the moment, everything does work, but I've set it to:
www-data ALL=(ALL) NOPASSWD: ALL

which probably isn't appropriate for long term use.

So, what do I need to put to allow it to run only my scripts? Essentially it only needs to run /usr/local/mine/updatedns.sh, but there's commands inside that, and an awk script that runs stored in a separate file. So what commands do I need to allow, /path/to/my script, or all the commands my script uses?

Sorry if I'm in the wrong area for this question or anything...
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 08-20-2011, 07:17 PM   #2
andrewthomas
Senior Member
 
Registered: May 2010
Location: Chicago Metro
Distribution: Arch, Gentoo, Slackware
Posts: 1,690

Rep: Reputation: 308Reputation: 308Reputation: 308Reputation: 308
Quote:
Originally Posted by metaf5 View Post
So what commands do I need to allow, /path/to/my script, or all the commands my script uses?
All of the commands that need to run as root need to be allowed.
 
Old 08-20-2011, 07:52 PM   #3
metaf5
LQ Newbie
 
Registered: Aug 2011
Distribution: I'm kind of fond of Crunchbang...
Posts: 19

Original Poster
Rep: Reputation: Disabled
So, I'm sudo-ing the scripts I'm running, (I run sudo sh /path/to/script), so that means /bin/sh needs to be allowed? Is this a security issue? It seems like if www-data is compromised, anyone could just write a script and run it to do whatever they need to.
 
Old 08-21-2011, 08:15 PM   #4
jv2112
Member
 
Registered: Jan 2009
Location: New England
Distribution: Arch Linux
Posts: 719

Rep: Reputation: 103Reputation: 103
Lightbulb




If you are automating through cron can't you just add it to ROOTS crontab ? This was you just need to set up once and not add anymore permissions to anyone else.
 
Old 08-21-2011, 08:33 PM   #5
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,362

Rep: Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377Reputation: 2377
You only need to allow root owned cmds that are NOT accessible to a non-root user; /bin/sh is accessible to a std user...
 
Old 08-22-2011, 07:32 AM   #6
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,191

Rep: Reputation: 105Reputation: 105
Someone I know uses `sudo /bin/bash` just so that they don't then need to continue using sudo. They essentially become the root user under that bash instance. I think it is a security infraction, because it sidesteps the logging that is inherent in sudo (the logs only show that user running bash, not what they did after that).

Anything you allow php to do as root coming in on web access is potentially a security issue. You should review the details of what you are doing with that in mind and lock it down as much as possible. In particular, the use of ALL and ALL for www-data in sudoers is essentially equivalent to putting the web browser into the admin group. Bad.

For starters, I would make the sudoers only allow www-data to execute the exact script that you want it to run. Then I would make sure that it does not have write access to that script. Otherwise a compromise of the web browser would allow someone to write something else into that script and then execute it as root.
 
Old 08-22-2011, 08:28 AM   #7
SL00b
Member
 
Registered: Feb 2011
Location: LA, US
Distribution: SLES
Posts: 375

Rep: Reputation: 112Reputation: 112
Allow www-data to execute updatedns.sh as root, done.

www-data ALL = NOPASSWD:/usr/local/mine/updatedns.sh

Once the script updatedns starts running under root's authority, all the subcommands will also run under root.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to edit /etc/sudoers so that I can run another users script vanish78 Linux - Newbie 6 05-15-2011 02:28 PM
can I edit sudoers without vi? newbiesforever Linux - General 4 11-09-2009 11:13 PM
can I edit sudoers without vi? newbiesforever Linux - General 4 08-10-2009 01:35 PM
Edit sudoers by script snowman81 Programming 5 05-27-2008 06:52 PM
cannot edit /etc/sudoers unisol Ubuntu 13 06-18-2006 09:35 AM


All times are GMT -5. The time now is 06:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration