LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 07-15-2017, 12:52 PM   #16
NewtownGuy
LQ Newbie
 
Registered: May 2014
Posts: 14

Original Poster
Rep: Reputation: Disabled

Here's the contents of /etc/sudoers, which I opened in vi in root:

<begin>

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
pi ALL=(ALL) NOPASSWD: ALL

<end>

I don't understand what to add. Is it:

www-data ALL=(root:root) NOPASSWD: ALL

?

Again, I don't have unique names for the programs that I need to STOP and CONT.
 
Old 07-15-2017, 01:05 PM   #17
michaelk
Moderator
 
Registered: Aug 2002
Posts: 17,349

Rep: Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232
That would allow www-data to run any command as root.

See Turbocapitalist post below...

Last edited by michaelk; 07-15-2017 at 01:34 PM.
 
Old 07-15-2017, 01:05 PM   #18
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 3,275
Blog Entries: 3

Rep: Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445
Quote:
Originally Posted by NewtownGuy View Post
pi ALL=(ALL) NOPASSWD: ALL
www-data ALL=(root:root) NOPASSWD: ALL
No. Please remove both those lines. The second one gives root access to your whole machine to your web server and anyone who can figure out how to influence or control your web server.

Here is a somewhat sane way:

Code:
www-data ALL=(root:root) NOPASSWD: /bin/kill --signal CONT [0-9]*, /bin/kill --signal STOP [0-9]*
It allows www-data's scripts to call kill. The downside is that it can STOP or CONT any process on the whole machine.

Code:
sudo /bin/kill --signal STOP $pid
sudo /bin/kill --signal CONT $pid
If you need background material for /etc/sudoers, see Michael W Lucas' book sudo: mastery or his presentation sudo: you're doing it wrong which has both slides and a Youtube video.
 
Old 07-15-2017, 01:11 PM   #19
michaelk
Moderator
 
Registered: Aug 2002
Posts: 17,349

Rep: Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232Reputation: 2232
Quote:
pi ALL=(ALL) NOPASSWD: ALL
Similar to Ubuntu raspian creates a default user pi which is the admin and is allowed sudo privileges. Although it looks like the OP enabled root.

Last edited by michaelk; 07-15-2017 at 01:24 PM.
 
Old 07-15-2017, 01:41 PM   #20
NewtownGuy
LQ Newbie
 
Registered: May 2014
Posts: 14

Original Poster
Rep: Reputation: Disabled
Since apache2 runs as user www-data, not as user pi, does that mean I need to add:

www-data ALL=(ALL) NOPASSWD: ALL

to /etc/sudoers so that the kills in my bash script, bar.sh, will run when apache2 runs foo.pl that runs bar.sh ?

If so, do I have to reboot for it to take effect ?
 
Old 07-15-2017, 01:44 PM   #21
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 3,275
Blog Entries: 3

Rep: Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445
Quote:
Originally Posted by NewtownGuy View Post
www-data ALL=(ALL) NOPASSWD: ALL
NO. Please don't do that as doing so would give full control of your machine to your web server.

Please try either the approach michaelk suggested or the one I have suggested. But also see these before making changes to /etc/sudoers

https://www.youtube.com/watch?v=o0purspHg-o

https://www.bsdcan.org/2014/schedule...can%202014.pdf
 
Old 07-15-2017, 02:05 PM   #22
NewtownGuy
LQ Newbie
 
Registered: May 2014
Posts: 14

Original Poster
Rep: Reputation: Disabled
In recognition of these security issues, can I allow www-data to run /var/www/cgi-bin/bar.sh and thus everything -- including kills -- in it ? If so, would I add this to /etc/sudoers or /etc/sudoers.d/<some_file_name> ?

www-data ALL=(root:root) NOPASSWD: /var/www/cgi-bin/bar.sh

If so, do I have to make any changes to the way I invoke bar.sh in foo.pl ?

If not, and I use www-data ALL=(root:root) NOPASSWD: /bin/kill --signal CONT [0-9]*, /bin/kill --signal STOP [0-9]*, in /etc/sudoers or /etc/sudoers.d/<some_file_name> instead, do I have to make any changes in bar.sh to the way I invoke /bin/kill ?

BTW, pi ALL=(ALL) NOPASSWD: ALL, is part of the standard distribution. If I remove it, won't pi, the default user, be blocked from using the machine ?
 
Old 07-15-2017, 02:37 PM   #23
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 3,275
Blog Entries: 3

Rep: Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445
Quote:
Originally Posted by NewtownGuy View Post
In recognition of these security issues, can I allow www-data to run /var/www/cgi-bin/bar.sh and thus everything -- including kills -- in it ?
Yes, that's why it's important to pare down the privileges to the bare miminum. The concept is "least privilege" and related to "privilege separation"

Quote:
Originally Posted by NewtownGuy View Post
If so, would I add this to /etc/sudoers or /etc/sudoers.d/<some_file_name> ?

www-data ALL=(root:root) NOPASSWD: /var/www/cgi-bin/bar.sh

If so, do I have to make any changes to the way I invoke bar.sh in foo.pl ?
If you go that route, then you'll have to invoke bar.sh with sudo from inside foo.pl

Quote:
Originally Posted by NewtownGuy View Post
If not, and I use www-data ALL=(root:root) NOPASSWD: /bin/kill --signal CONT [0-9]*, /bin/kill --signal STOP [0-9]*, in /etc/sudoers or /etc/sudoers.d/<some_file_name> instead, do I have to make any changes in bar.sh to the way I invoke /bin/kill ?
If you go that route, then you'll have to invoke kill with sudo from inside bar.sh
It is the simpler option.

Quote:
Originally Posted by NewtownGuy View Post
BTW, pi ALL=(ALL) NOPASSWD: ALL, is part of the standard distribution. If I remove it, won't pi, the default user, be blocked from using the machine ?
If you have users in the group "sudo" then they can administer the machine if you take away that line. There should be users in that group

Code:
getent group sudo
If not, just leave the line, but it might be a good idea to say instead:

Code:
pi ALL=(ALL) PASSWD: ALL
 
Old 07-15-2017, 04:17 PM   #24
NewtownGuy
LQ Newbie
 
Registered: May 2014
Posts: 14

Original Poster
Rep: Reputation: Disabled
Thumbs Up !

Many thanks, guys. It's working now.

To explain to others: As root, I ran visudo, which edits /etc/sudoers. I did not need to make a new file in /etc/sudoers.d. I added a line, www-data ALL=(root:root) NOPASSWD: /var/www/cgi-bin/bar.sh, to /etc/sudoers. I decided to control the execution of bar.sh, instead of kill, to minimize the security risks outlined above. I'd rather risk apache somehow running my entire bar.sh script, rather than the fundamental kill command. I added "sudo" to the command passed by system() in my perl script to run bar.sh.

I did not have to reboot the machine for the updated sudoers file to take effect.

Reminds me of .htaccess files in apache that let one override all sorts of stuff...

cheers,
 
Old 07-15-2017, 10:47 PM   #25
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 3,275
Blog Entries: 3

Rep: Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445
Quote:
Originally Posted by NewtownGuy View Post
I'd rather risk apache somehow running my entire bar.sh script, rather than the fundamental kill command.
If you're making those kinds of assessments, you are on your way forward!

One fine point that could be added is if you don't want bar.sh to receive any paramaters ever from www-data, you could set that in /etc/sudoers using an empty pair of quotes:

Code:
www-data ALL=(root:root) NOPASSWD: /var/www/cgi-bin/bar.sh ""
 
Old 07-16-2017, 07:23 AM   #26
NewtownGuy
LQ Newbie
 
Registered: May 2014
Posts: 14

Original Poster
Rep: Reputation: Disabled
Thank you. Good to know about blocking arguments. However, in this case, it is essential that two particular values for a single argument be able to be passed via apache, i.e., via www-data. Is there any way to restrict operation to those two ? I'm guessing it's to include two lines, one for each, in /etc/sudoers, although it's overkill in this case since bar.sh checks for those two and rejects everything else.
 
Old 07-16-2017, 08:00 AM   #27
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 3,275
Blog Entries: 3

Rep: Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445Reputation: 1445
Good. The script should never trust input passed from the web server.

Tightening down sudoers could be overkill or part of a layered approach or something in the middle. But either way, you'd have to spell out each allowed option:

Code:
www-data ALL=(root:root) NOPASSWD: /var/www/cgi-bin/bar.sh one, /var/www/cgi-bin/bar.sh two, \
        /var/www/cgi-bin/bar.sh three, /var/www/cgi-bin/bar.sh four
There is a little flexibility in that /etc/sudoers allows globbing. However, that is not as useful as it sounds nor is it regex. See "man 7 glob" and "man 5 sudoers"
 
Old 07-16-2017, 08:23 AM   #28
NewtownGuy
LQ Newbie
 
Registered: May 2014
Posts: 14

Original Poster
Rep: Reputation: Disabled
Thank you again.
 
  


Reply

Tags
kill, permissions


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bash script - command works directly in command line but not in script raoulcousins Linux - Newbie 6 08-21-2013 07:43 PM
[SOLVED] perl script runs fine from command line but fails when invoked by nagios andrest964 Linux - Newbie 7 10-04-2012 09:04 AM
Command works when pasted at command line but not as bash script neild Programming 7 09-23-2012 07:30 AM
works on command line but not in bash script tara Linux - General 7 02-09-2009 03:57 AM
kill the process invoked from a shell script, when the script is killed kskkumar Linux - Software 8 05-23-2007 11:29 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration