Here's the contents of /etc/sudoers, which I opened in vi in root:

<begin>

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
pi ALL=(ALL) NOPASSWD: ALL

<end>

I don't understand what to add. Is it:

www-data ALL=(root:root) NOPASSWD: ALL

?

Again, I don't have unique names for the programs that I need to STOP and CONT.

That would allow www-data to run any command as root.

See Turbocapitalist post below...

No. Please remove both those lines. The second one gives root access to your whole machine to your web server and anyone who can figure out how to influence or control your web server.

Here is a somewhat sane way:

It allows www-data's scripts to call kill. The downside is that it can STOP or CONT any process on the whole machine.

If you need background material for /etc/sudoers, see Michael W Lucas' book sudo: mastery or his presentation sudo: you're doing it wrong which has both slides and a Youtube video.

Similar to Ubuntu raspian creates a default user pi which is the admin and is allowed sudo privileges. Although it looks like the OP enabled root.

Since apache2 runs as user www-data, not as user pi, does that mean I need to add:

www-data ALL=(ALL) NOPASSWD: ALL

to /etc/sudoers so that the kills in my bash script, bar.sh, will run when apache2 runs foo.pl that runs bar.sh ?

If so, do I have to reboot for it to take effect ?

NO. Please don't do that as doing so would give full control of your machine to your web server.

Please try either the approach michaelk suggested or the one I have suggested. But also see these before making changes to /etc/sudoers

https://www.youtube.com/watch?v=o0purspHg-o

https://www.bsdcan.org/2014/schedule...can%202014.pdf

In recognition of these security issues, can I allow www-data to run /var/www/cgi-bin/bar.sh and thus everything -- including kills -- in it ? If so, would I add this to /etc/sudoers or /etc/sudoers.d/<some_file_name> ?

www-data ALL=(root:root) NOPASSWD: /var/www/cgi-bin/bar.sh

If so, do I have to make any changes to the way I invoke bar.sh in foo.pl ?

If not, and I use www-data ALL=(root:root) NOPASSWD: /bin/kill --signal CONT [0-9]*, /bin/kill --signal STOP [0-9]*, in /etc/sudoers or /etc/sudoers.d/<some_file_name> instead, do I have to make any changes in bar.sh to the way I invoke /bin/kill ?

BTW, pi ALL=(ALL) NOPASSWD: ALL, is part of the standard distribution. If I remove it, won't pi, the default user, be blocked from using the machine ?

Yes, that's why it's important to pare down the privileges to the bare miminum. The concept is "least privilege" and related to "privilege separation"

If you go that route, then you'll have to invoke bar.sh with sudo from inside foo.pl

If you go that route, then you'll have to invoke kill with sudo from inside bar.sh
It is the simpler option.

If you have users in the group "sudo" then they can administer the machine if you take away that line. There should be users in that group

If not, just leave the line, but it might be a good idea to say instead:

Thumbs Up !

Many thanks, guys. It's working now.

To explain to others: As root, I ran visudo, which edits /etc/sudoers. I did not need to make a new file in /etc/sudoers.d. I added a line, www-data ALL=(root:root) NOPASSWD: /var/www/cgi-bin/bar.sh, to /etc/sudoers. I decided to control the execution of bar.sh, instead of kill, to minimize the security risks outlined above. I'd rather risk apache somehow running my entire bar.sh script, rather than the fundamental kill command. I added "sudo" to the command passed by system() in my perl script to run bar.sh.

I did not have to reboot the machine for the updated sudoers file to take effect.

Reminds me of .htaccess files in apache that let one override all sorts of stuff...

cheers,

If you're making those kinds of assessments, you are on your way forward!

One fine point that could be added is if you don't want bar.sh to receive any paramaters ever from www-data, you could set that in /etc/sudoers using an empty pair of quotes:

Thank you. Good to know about blocking arguments. However, in this case, it is essential that two particular values for a single argument be able to be passed via apache, i.e., via www-data. Is there any way to restrict operation to those two ? I'm guessing it's to include two lines, one for each, in /etc/sudoers, although it's overkill in this case since bar.sh checks for those two and rejects everything else.

Good. The script should never trust input passed from the web server.

Tightening down sudoers could be overkill or part of a layered approach or something in the middle. But either way, you'd have to spell out each allowed option:

There is a little flexibility in that /etc/sudoers allows globbing. However, that is not as useful as it sounds nor is it regex. See "man 7 glob" and "man 5 sudoers"

Thank you again.