LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Ubuntu (https://www.linuxquestions.org/questions/ubuntu-63/)
-   -   Running a single command/script as root user through Apache/PHP (https://www.linuxquestions.org/questions/ubuntu-63/running-a-single-command-script-as-root-user-through-apache-php-927835/)

nonshatter 02-05-2012 11:38 PM
Running a single command/script as root user through Apache/PHP
 
Hello

I have a requirement to execute a python script as root user through the browser.

I have a PHP web script which I want to shell out of and call a python script (The python script utilizes the selenium firefox web driver to capture automated screenshots). The python script needs to be run under the root environment.

I know it's not recommended to give root access to www-data, but it is the only way I can see that this will work.

The PHP call I am using is shell_exec, then I am trying to pipe a password through so it can be run as root:

PHP Code:
shell_exec("echo 'root_password' | sudo -u root -S python /usr/sbin/webdriver 'arg1' 'arg2'"); 
Is there a way to allow www-data to run the script as root? Preferably I would only like to give Apache root access to this one command, so that I'm not left with a completely vulnerable system - I have heard that the sudoers file can be edited to permit www-data to run certain commands as root? Bare in mind that the python script may invoke several other processes such as firefox, Xvfb etc.

Code:
www-data ALL=(ALL) NOPASSWD: executable_full_path
In this example, would the executable_full_path be the path to python? Or the path to my python script?

Nb: I have the default visudo config for Ubuntu 10.04.01 LTS:

Code:
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL

# Allow members of group sudo to execute any command after they have
# provided their password
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
~
~
Thanks and Regards,
ns

nonshatter 02-06-2012 12:34 AM
I have managed to get it working!

By editing the sudoers file, I have given www-data root permissions to run the python script:

Code:
# User alias specification
www-data ALL = NOPASSWD: /usr/bin/python,/usr/sbin/webdriver
I am not sure if I need both the path to python and the webdriver script, or if I can remove one of them. Nevertheless, it works and I'm happy.

Cheers,
ns


All times are GMT -5. The time now is 04:08 AM.