NYCPHP Meetup

[Leam Hall]

Hey Michele.

Can you edit /etc/sudoers? You might be able to give it the NOPASSWD 
option, to at least shorten it a bit.

Can you read /var/log/messages and the web server log to see if they say 
anything?

Leam

Michele Waldman wrote:
> So I rewrote the code in bash due to my client's concern about bandwidth.
> 
> Here's my new problem:
> $msg = exec("echo $password | sudo /home/user/site_util/copy_sites $id 2>
> /dev/null");
> 
> The script isn't running.
> 
> Since it's running from http, I modified the user nobody to have /bin/bash
> in /etc/passwd and gave the user a password.
> 
> I can login to the server as nobody and run this code on the command line.
> Works fine.
> 
> Does anyone know why this execute isn't working in php?
> 
> Michele
> 
>> -----Original Message-----
>> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
>> On Behalf Of Kenneth Dombrowski
>> Sent: Friday, July 31, 2009 7:33 AM
>> To: NYPHP Talk
>> Subject: Re: [nycphp-talk] SSH2_CONNECT
>>
>> On 09-07-30 17:05 -0400, Ajai Khattri wrote:
>>> Most probably your PHP script will be running under the same username as
>>> Apache (i.e. www or nobody) so sudo wouldn't work anyway. (And you
>>> wouldn't want to give www or nobody sudo privilege anyway!).
>> All this talk about sudo not working made me curious -- why shouldn't it
>> work?  It will, and a well configured sudo offers a very fine level of
>> control -- though whether one wants to do it is another question
>>
>> # visudo
>> Defaults:www-data       !lecture
>> Defaults:www-data       !authenticate
>> www-data ALL = (kenneth) /usr/bin/touch /tmp/sudoer.apache
>>
>> The first two lines get rid of sudo's usual prompts, since it will never
>> run interactively, & the last specifies a single command + argument
>> www-data is allowed to run as kenneth (you can use shell-style globs)
>>
>> # sudo.php
>> <?php
>> header('Content-type: text/plain');
>> $f = '/tmp/sudoer.apache';
>> system("sudo -u kenneth /usr/bin/touch $f");
>> print "\n$f exists? " . (bool) file_exists($f);
>>
>> kenneth at gilgamesh:~$ elinks --dump http://localhost/tmp/sudo.php
>>    /tmp/sudoer.apache exists? 1
>> kenneth at gilgamesh:~$ ls -l /tmp/sudoer.apache
>> -rw-r--r-- 1 kenneth kenneth 0 2009-07-30 19:52 /tmp/sudoer.apache
>>
>> So on debian, www-data successfully created a file as kenneth.  On FreeBSD
>> I think www/nobody/whatever has a /bin/false shell, so there it won't
>> work.  Of course, you shouldn't do it on shared hosts, and I'm sure
>> somebody will tell me you shouldn't do it at all, but its not due to a
>> technical limitation
>>
>>
>> _______________________________________________
>> New York PHP User Group Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> http://www.nyphp.org/show_participation.php
> 
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> http://www.nyphp.org/show_participation.php
>