kill works in script from command line but not when invoked by another script
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Here's the contents of /etc/sudoers, which I opened in vi in root:
<begin>
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
pi ALL=(ALL) NOPASSWD: ALL
<end>
I don't understand what to add. Is it:
www-data ALL=(root:root) NOPASSWD: ALL
?
Again, I don't have unique names for the programs that I need to STOP and CONT.
pi ALL=(ALL) NOPASSWD: ALL
www-data ALL=(root:root) NOPASSWD: ALL
No. Please remove both those lines. The second one gives root access to your whole machine to your web server and anyone who can figure out how to influence or control your web server.
If you need background material for /etc/sudoers, see Michael W Lucas' book sudo: mastery or his presentation sudo: you're doing it wrong which has both slides and a Youtube video.
In recognition of these security issues, can I allow www-data to run /var/www/cgi-bin/bar.sh and thus everything -- including kills -- in it ? If so, would I add this to /etc/sudoers or /etc/sudoers.d/<some_file_name> ?
If so, do I have to make any changes to the way I invoke bar.sh in foo.pl ?
If not, and I use www-data ALL=(root:root) NOPASSWD: /bin/kill --signal CONT [0-9]*, /bin/kill --signal STOP [0-9]*, in /etc/sudoers or /etc/sudoers.d/<some_file_name> instead, do I have to make any changes in bar.sh to the way I invoke /bin/kill ?
BTW, pi ALL=(ALL) NOPASSWD: ALL, is part of the standard distribution. If I remove it, won't pi, the default user, be blocked from using the machine ?
If so, do I have to make any changes to the way I invoke bar.sh in foo.pl ?
If you go that route, then you'll have to invoke bar.sh with sudo from inside foo.pl
Quote:
Originally Posted by NewtownGuy
If not, and I use www-data ALL=(root:root) NOPASSWD: /bin/kill --signal CONT [0-9]*, /bin/kill --signal STOP [0-9]*, in /etc/sudoers or /etc/sudoers.d/<some_file_name> instead, do I have to make any changes in bar.sh to the way I invoke /bin/kill ?
If you go that route, then you'll have to invoke kill with sudo from inside bar.sh
It is the simpler option.
Quote:
Originally Posted by NewtownGuy
BTW, pi ALL=(ALL) NOPASSWD: ALL, is part of the standard distribution. If I remove it, won't pi, the default user, be blocked from using the machine ?
If you have users in the group "sudo" then they can administer the machine if you take away that line. There should be users in that group
Code:
getent group sudo
If not, just leave the line, but it might be a good idea to say instead:
To explain to others: As root, I ran visudo, which edits /etc/sudoers. I did not need to make a new file in /etc/sudoers.d. I added a line, www-data ALL=(root:root) NOPASSWD: /var/www/cgi-bin/bar.sh, to /etc/sudoers. I decided to control the execution of bar.sh, instead of kill, to minimize the security risks outlined above. I'd rather risk apache somehow running my entire bar.sh script, rather than the fundamental kill command. I added "sudo" to the command passed by system() in my perl script to run bar.sh.
I did not have to reboot the machine for the updated sudoers file to take effect.
Reminds me of .htaccess files in apache that let one override all sorts of stuff...
I'd rather risk apache somehow running my entire bar.sh script, rather than the fundamental kill command.
If you're making those kinds of assessments, you are on your way forward!
One fine point that could be added is if you don't want bar.sh to receive any paramaters ever from www-data, you could set that in /etc/sudoers using an empty pair of quotes:
Thank you. Good to know about blocking arguments. However, in this case, it is essential that two particular values for a single argument be able to be passed via apache, i.e., via www-data. Is there any way to restrict operation to those two ? I'm guessing it's to include two lines, one for each, in /etc/sudoers, although it's overkill in this case since bar.sh checks for those two and rejects everything else.
Good. The script should never trust input passed from the web server.
Tightening down sudoers could be overkill or part of a layered approach or something in the middle. But either way, you'd have to spell out each allowed option:
There is a little flexibility in that /etc/sudoers allows globbing. However, that is not as useful as it sounds nor is it regex. See "man 7 glob" and "man 5 sudoers"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.