LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Help with sudo and sudoers (https://www.linuxquestions.org/questions/linux-newbie-8/help-with-sudo-and-sudoers-688321/)

zeeple 12-04-2008 10:35 AM
Help with sudo and sudoers
 
My understanding of sudo is that it is used to allow you to perform a task as if you were the root user. So a file like this one:

-rw-r--r-- 1 root root 20 Dec 3 18:27 /etc/resolv.conf

which has rw permissions for root only, if I wanted to modify that file I would need to do something like:

$ sudo echo 'nameserver 10.0.0.1' > resolv.conf

After which I would be prompted for my creds and I would be allowed to overwrite the file even though my user has no explicit permissions to do so.

Similarly, if I want to be able to do this non-interactively, say in a php script through apache, I need to have a line similar to this one in the sudoers file:

apache ALL= NOPASSWD: /usr/sbin/netconfig, /bin/rm, /sbin/service, /bin/echo

This is my understanding anyway. The problem I am running into is that my php script is not working for the echo command. However, there are two undesirable work arounds I can do to make it work:

1. chown apache.apache /etc/resolv.conf

2. chmod 666 /etc/resolv.conf

I don't like either solution, even though I have tested them both and they do indeed mitigate the problem I am having. I would rather get the sudo command working as it should. Does anyone here have any suggestions?

stress_junkie 12-04-2008 09:41 PM
IMO the traditional Unix way to do this would be to change the group ownership of the file to apache leaving the user ownership as root. There is absolutely nothing wrong with this solution. Also, it is much better than setting NOPASSWD on any user account in the sudoers file. I agree that changing the permissions to 666 is not acceptable.
Code:
chgrp apache /etc/resolv.conf

zeeple 12-06-2008 11:51 AM
Thanks for the tip, thats a very good way to go about it. What I decided to do in the end was rearrange the command that modifies the file. What I was doing was trying to sudo echo, which is clearly wrong since that is not a command that is restricted to root. Anyone can echo. However, my thinking was that if I echoed as root I'd be able to modify the file. This wasn't working so I did this instead, at the advice of someone over at the ubuntu forums:

echo 'nameserver 10.0.0.1' | sudo tee /etc/resolv.conf

I like your idea of changing the group ownership though.


All times are GMT -5. The time now is 06:26 AM.