is possible the line "apache ALL=(root) NOPASSWD:ALL" into [/etc/sudoers.d/file.test] ?

michaelk · 04-17-2022, 10:07 PM

PHP Code:



SESSION_START();
error_reporting(-1);
ini_set('display_errors', '1');

exec('sudo reboot', $r, $e);
print_r($e);

Code:

exec('sudo reboot', $r, $e);

Again, YOU NEED TO ADD sudo TO THE exec COMMAND.

Colombia · 04-17-2022, 10:15 PM

Quote:

Originally Posted by michaelk

...Again, YOU NEED TO ADD sudo TO THE exec COMMAND.

master again: the result is the same:

Code:

michaelk · 04-18-2022, 11:57 AM

Have you ever checked /var/log/httpd/error.log for errors?

Instead of 'sudo reboot' try

Code:

exec('sudo systemctl reboot -i', $r, $e);

Colombia · 04-18-2022, 12:37 PM

Quote:

Originally Posted by michaelk

...try

Code:

exec('sudo systemctl reboot -i', $r, $e);

thanks, same result:1
about apache LOG bingo!, new info (but I not understand):

Code:

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified
sh: /sys/class/gpio/gpio18/direction: Permission denied

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified
sh: /sys/class/gpio/gpio18/direction: Permission denied

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified

what I can do ?

michaelk · 04-18-2022, 02:15 PM

Quote:

sh: /sys/class/gpio/gpio18/direction: Permission denied

You can try adding the apache user to the gpio group.

I do not know the difference between CentOS running on a Pi and a regular desktop. Make sure the file in the /etc/sudoers.d directory has permission 0440.

Colombia · 04-18-2022, 02:57 PM

Quote:

Originally Posted by michaelk

You can try adding the apache user to the gpio group.

thnks.

master this is ALL my groups:

Code:

[root@localhost ~]# cat /etc/group | cut -d: -f1 | sort
adm
apache
audio
bin
cdrom
chrony
daemon
dbus
dialout
disk
floppy
ftp
games
input
kmem
lock
lp
mail
man
mem
mysql
nobody
polkitd
postdrop
postfix
root
sshd
ssh_keys
sys
systemd-journal
systemd-network
tape
tty
users
utempter
utmp
video
wheel
[root@localhost ~]#

michaelk · 04-18-2022, 05:49 PM

Code:

exec('sudo -n systemctl reboot -i', $r, $e);

You can try the non-interactive option -n but its just a guess.

I've seen one thread where the OP created the gpio group and added their user but I don't know if this will work.
What groups does your regular user belong?

Colombia · 04-18-2022, 05:57 PM

Quote:

Originally Posted by michaelk

...What groups does your regular user belong?

because ALL IS WLAN, all this is root.

Then ALL WORK fine from CONSOLE, but I need run the commands from browser.

TB0ne · 04-18-2022, 06:08 PM

Quote:

Originally Posted by Colombia

because ALL IS WLAN, all this is root. Then ALL WORK fine from CONSOLE, but I need run the commands from browser.

You obviously have SUDO set up to ask for a password. And did you actually read the error message and try to look it up??

Code:

sudo: no tty present and no askpass program specified

Sudo will have problems when there isn't a TTY. You need to tell sudoers to not require a tty for sudo, and limit what apache can do as sudo:

Code:

apache !requiretty ALL=(root) NOPASSWD: /sbin/reboot

Then your PHP code ("exec('sudo /sbin/reboot');" )
...will work.

Beyond that, you are doing a *HUGELY BAD THING* by doing this. The number of attack vectors you are opening up on your system is enormous, for no really good reason. There are LOADS of ways to do what you're after that are far better. And if all you want to do is reboot the machine over the network, why on earth aren't you using SNMP???

computersavvy · 04-18-2022, 07:03 PM

Essentially you are trying to run a cgi command with that php script.
Is your system (web server) set up to allow cgi scripts to execute from the directory where that file is located? Is it also set up to allow commands with root permissions to execute from that directory?

I think this may have no bearing on the php script, but may instead be a feature of security built into the web server to protect the system from potential hackers. We would need to look at this type of security to see if executing a command as root from the web page is even possible. I know that script execution is restricted except as specifically authorized and even then scripts are limited.

One workaround may be to have that script write to a specific file (which would only require the normal user permissions for the apache user), then have something such as a cron job that frequently checks if the file exists. If it does then delete the file & reboot and if not do nothing.

Colombia · 04-18-2022, 07:45 PM

Quote:

Originally Posted by TB0ne

...

Code:

apache !requiretty ALL=(root) NOPASSWD: /sbin/reboot

Then your PHP code ("exec('sudo /sbin/reboot');" )
...will work.

thanks master.

When I try save file with TWO options:

1// the same THREE columns but ADD the text "!requiretty":

Code:

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
pp      ALL=(ALL)       NOPASSWD:ALL
apache  !requiretty ALL=(ALL)       NOPASSWD:ALL
php     ALL=(ALL)       NOPASSWD:ALL

2// FOUR columns:

Code:

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
pp      ALL=(ALL)       NOPASSWD:ALL
apache  !requiretty     ALL=(ALL)       NOPASSWD:ALL
php     ALL=(ALL)       NOPASSWD:ALL

in both cases when I try save file the result is:

Code:

[root@localhost ~]# visudo
>>> /etc/sudoers: syntax error near line 102 <<<
What now? cat /var/log/httpd/error.log
Options are:
  (e)dit sudoers file again
  e(x)it without saving changes to sudoers file
  (Q)uit and save changes to sudoers file (DANGER!)

What now? e
>>> /etc/sudoers: syntax error near line 102 <<<
What now?

what I can do?

Colombia · 04-18-2022, 07:53 PM

Quote:

Originally Posted by computersavvy

... Is your system (web server) set up to allow cgi scripts to execute from the directory where that file is located?...

thanks,
I add the user (apache) to /etc/sudoers using visudo:

Code:

## Allow root to run any commands anywhere 
root	ALL=(ALL) 	ALL
pp	ALL=(ALL)	NOPASSWD:ALL
apache	ALL=(ALL)	NOPASSWD:ALL
php	ALL=(ALL)	NOPASSWD:ALL

because the command

PHP Code:



$Q = exec($c, $r, $e);
print_r($Q);

return "apache" and code error ($e) = 0

computersavvy · 04-18-2022, 07:53 PM

Did you read this

Code:

apache !requiretty ALL=(root) NOPASSWD: /sbin/reboot

which was posted in #39 above?

This is definitely different than what you are trying to put into that sudoers file and will limit the apache user to only that one command.

Colombia · 04-18-2022, 08:21 PM

Quote:

Originally Posted by computersavvy

... This is definitely different than what you are trying to put into that sudoers file...

I need OTHERS commands for same user...

michaelk · 04-18-2022, 08:33 PM

Try:

Code:

apache	ALL=(ALL)	NOPASSWD:ALL
Defaults:apache        !requiretty

You can add a line for each command or multiple commands separated by a comma

Code:

apache ALL=(root) NOPASSWD: /sbin/reboot, /other/command