NYCPHP Meetup

NYPHP.org

[nycphp-talk] SSH2_CONNECT

CED consult at covenantedesign.com
Fri Jul 31 20:42:16 EDT 2009 

Leam Hall wrote:
>
>
> http://forums.fedoraforum.org/showthread.php?t=159677
>
> [root at leam ~]# grep -i tty /etc/sudoers
> Defaults    requiretty
>
> That might help.  :)
>
> Leam
>
> Michele Waldman wrote:
>> Thank you.
>>
>> sudo: sorry, you must have a tty to run sudo
>>
>> I don't know how to resolve this.
>>
>> Michele
>>
>>> -----Original Message-----
>>> From: talk-bounces at lists.nyphp.org 
>>> [mailto:talk-bounces at lists.nyphp.org]
>>> On Behalf Of Leam Hall
>>> Sent: Friday, July 31, 2009 8:22 PM
>>> To: NYPHP Talk
>>> Subject: Re: [nycphp-talk] SSH2_CONNECT
>>>
>>> Drat! That's my favorite reading.  :)
>>>
>>> Couple more ideas, based on an OS perspective. If it's a PHPism, I'm 
>>> not
>>> so good...
>>>
>>> If the copy_sites program is a script and not a binary, edit it 
>>> early on
>>> to create a temporary file. For example, put in a like "echo guido >
>>> /tmp/woo-hoo". See if it writes it. If so, then it's choking on the
>>> script. If not, then it's not getting to the script.
>>>
>>> Also, have it echo $id to a temp file to make sure the variable
>>> substitution is happening correctly.
>>>
>>> Hope that helps.
>>>
>>> Leam
>>>
>>> Michele Waldman wrote:
>>>> I didn't see anything in /var/log/messages.
>>>>
>>>> Michele
>>>>
>>>>> -----Original Message-----
>>>>> From: talk-bounces at lists.nyphp.org [mailto:talk-
>>> bounces at lists.nyphp.org]
>>>>> On Behalf Of Leam Hall
>>>>> Sent: Friday, July 31, 2009 7:58 PM
>>>>> To: NYPHP Talk
>>>>> Subject: Re: [nycphp-talk] SSH2_CONNECT
>>>>>
>>>>> Hey Michele.
>>>>>
>>>>> Can you edit /etc/sudoers? You might be able to give it the NOPASSWD
>>>>> option, to at least shorten it a bit.
>>>>>
>>>>> Can you read /var/log/messages and the web server log to see if they
>>> say
>>>>> anything?
>>>>>
>>>>> Leam
>>>>>
>>>>> Michele Waldman wrote:
>>>>>> So I rewrote the code in bash due to my client's concern about
>>>>> bandwidth.
>>>>>> Here's my new problem:
>>>>>> $msg = exec("echo $password | sudo 
>>>>>> /home/user/site_util/copy_sites $id
>>>>> 2>
>>>>>> /dev/null");
>>>>>>
>>>>>> The script isn't running.
>>>>>>
>>>>>> Since it's running from http, I modified the user nobody to have
>>>>> /bin/bash
>>>>>> in /etc/passwd and gave the user a password.
>>>>>>
>>>>>> I can login to the server as nobody and run this code on the command
>>>>> line.
>>>>>> Works fine.
>>>>>>
>>>>>> Does anyone know why this execute isn't working in php?
>>>>>>
>>>>>> Michele
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: talk-bounces at lists.nyphp.org [mailto:talk-
>>>>> bounces at lists.nyphp.org]
>>>>>>> On Behalf Of Kenneth Dombrowski
>>>>>>> Sent: Friday, July 31, 2009 7:33 AM
>>>>>>> To: NYPHP Talk
>>>>>>> Subject: Re: [nycphp-talk] SSH2_CONNECT
>>>>>>>
>>>>>>> On 09-07-30 17:05 -0400, Ajai Khattri wrote:
>>>>>>>> Most probably your PHP script will be running under the same
>>> username
>>>>> as
>>>>>>>> Apache (i.e. www or nobody) so sudo wouldn't work anyway. (And you
>>>>>>>> wouldn't want to give www or nobody sudo privilege anyway!).
>>>>>>> All this talk about sudo not working made me curious -- why 
>>>>>>> shouldn't
>>>>> it
>>>>>>> work?  It will, and a well configured sudo offers a very fine level
>>> of
>>>>>>> control -- though whether one wants to do it is another question
>>>>>>>
>>>>>>> # visudo
>>>>>>> Defaults:www-data       !lecture
>>>>>>> Defaults:www-data       !authenticate
>>>>>>> www-data ALL = (kenneth) /usr/bin/touch /tmp/sudoer.apache
>>>>>>>
>>>>>>> The first two lines get rid of sudo's usual prompts, since it will
>>>>> never
>>>>>>> run interactively, & the last specifies a single command + argument
>>>>>>> www-data is allowed to run as kenneth (you can use shell-style 
>>>>>>> globs)
>>>>>>>
>>>>>>> # sudo.php
>>>>>>> <?php
>>>>>>> header('Content-type: text/plain');
>>>>>>> $f = '/tmp/sudoer.apache';
>>>>>>> system("sudo -u kenneth /usr/bin/touch $f");
>>>>>>> print "\n$f exists? " . (bool) file_exists($f);
>>>>>>>
>>>>>>> kenneth at gilgamesh:~$ elinks --dump http://localhost/tmp/sudo.php
>>>>>>>    /tmp/sudoer.apache exists? 1
>>>>>>> kenneth at gilgamesh:~$ ls -l /tmp/sudoer.apache
>>>>>>> -rw-r--r-- 1 kenneth kenneth 0 2009-07-30 19:52 /tmp/sudoer.apache
>>>>>>>
>>>>>>> So on debian, www-data successfully created a file as kenneth.  On
>>>>> FreeBSD
>>>>>>> I think www/nobody/whatever has a /bin/false shell, so there it 
>>>>>>> won't
>>>>>>> work.  Of course, you shouldn't do it on shared hosts, and I'm sure
>>>>>>> somebody will tell me you shouldn't do it at all, but its not 
>>>>>>> due to
>>> a
>>>>>>> technical limitation
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> New York PHP User Group Community Talk Mailing List
>>>>>>> http://lists.nyphp.org/mailman/listinfo/talk
>>>>>>>
>>>>>>> http://www.nyphp.org/show_participation.php
>>>>>> _______________________________________________
>>>>>> New York PHP User Group Community Talk Mailing List
>>>>>> http://lists.nyphp.org/mailman/listinfo/talk
>>>>>>
>>>>>> http://www.nyphp.org/show_participation.php
>>>>>>
>>>>> _______________________________________________
>>>>> New York PHP User Group Community Talk Mailing List
>>>>> http://lists.nyphp.org/mailman/listinfo/talk
>>>>>
>>>>> http://www.nyphp.org/show_participation.php
>>>> _______________________________________________
>>>> New York PHP User Group Community Talk Mailing List
>>>> http://lists.nyphp.org/mailman/listinfo/talk
>>>>
>>>> http://www.nyphp.org/show_participation.php
>>>>
>>> _______________________________________________
>>> New York PHP User Group Community Talk Mailing List
>>> http://lists.nyphp.org/mailman/listinfo/talk
>>>
>>> http://www.nyphp.org/show_participation.php
>>
>> _______________________________________________
>> New York PHP User Group Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> http://www.nyphp.org/show_participation.php
>>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>
>
>
Please DO NOT use Leam's example...

"Defaults requiretty" is a global sudoers security default, change the 
default at the user level... or, again; Don't do it at all.

-- 
<img src="http://covenantedesign.com/logo.jpg" border ="0">
995 Maple Hill Road
Castleton, New York 12033
518-331-5061
Consult at CovenanteDesign.com

More information about the talk mailing list