Running a process as apache, change to root ?
Hello,
I have an SVN server that should with the post-commit script loginto our dev server via ssh and update the folders contianing the websites. However, because the post-commit scripts runs as 'apache', it has no rights to run the ssh command. Can someone help me with this. It would be greatly appreciated. Thanks in advance. |
You said "websites" plural, and that scares me.
If you have client websites running cgi scripts as the user apache then what I am about to suggest is probably a Bad idea. But if you use suexe and each website runs their cgi scripts as their own user then this will work safely. visudo and add the line; Code:
apache ALL=(root) NOPASSWD: /usr/bin/ssh It would probably be better to find out why the user apache can't run ssh, if the user needs to be in a certain group, then discover that and place apache in that group. Again, I would be careful giving rights to the user apache if there are other users running cgi as the user apache. |
Quote:
|
I hope you sanitize your inputs (web form etc) ! :p
|
Quote:
|
Why the need to run ssh as root anyway, is there any theory behind this ?
|
Quote:
If your are going to help, then help, otherwise... |
Quote:
ssh is a program for login into a remote machine, it is like ftp but with encrypted connection... It requires no root privileges to use it Quote:
And any file I copy with ssh will belong to the remote user... Anyway, in the end rbalaa succeed using ssh without using sudo (= without having root privileges), so the issue is elsewhere |
Quote:
|
My first commercial Linux system was RedHat Mothers Day, If you don't want me here that's fine.
|
Still not working. Don't ask me why, but it worked for sometime, and now its back. Anyhow you are right I should have explained the setup better. Yes, I wanted to SSH so that I can update our live server. Now after many frustrated hours, I decided to have both SVN and our live server on the same box.
I found a debug script online and this is what I get when post-commit runs: /svndata/live 95 uid=48(apache) gid=48(apache) groups=0(root),48(apache) PWD=/ SHLVL=1 _=/bin/env As opposed to when I run it manually, I get: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) HOSTNAME=msrv01 SHELL=/bin/bash TERM=xterm-256color HISTSIZE=1000 SSH_CLIENT=<ipadress> SSH_TTY=/dev/pts/1 USER=root LS_COLORS= PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/scripts MAIL=/var/spool/mail/root PWD=/svndata/live/hooks INPUTRC=/etc/inputrc LANG=en_US.UTF-8 SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass HOME=/root SHLVL=2 LOGNAME=root SSH_CONNECTION=<ipaddress> LESSOPEN=|/usr/bin/lesspipe.sh %s G_BROKEN_FILENAMES=1 _=/bin/env the debug code is: date >> /tmp/debug.txt echo "$@" >> /tmp/debug.txt id >> /tmp/debug.txt env >> /tmp/debug.txt Please help. Thank you. |
well mark it as solved. the reason my connection kept breaking is because I never once listed my SVN repo from the local server (where svn is located). Soon as I did that, it asked me to accept (p). So I did and now it works. I also forgot to mention that the SVN server is running with HTTPS.
Thanks All. |
All times are GMT -5. The time now is 09:38 PM. |