Saturday, January 29, 2011

apache-user & root access

I want to develop few scripts in php that will invoke following commands; using exec() function

service network restart

crontab -u root /xyz/abc/fjs/crontab

etc.

The issue is that Apache executes script as apache user (I am on CentOS 5), regardless of adding apache into wheel or doing good, the bad and the ugly group assignment does not run commands (as mentioned above).

Following are my configurations;

My /etc/sudoers

root    ALL=(ALL)       ALL
apache  ALL=(ALL)       NOPASSWD: ALL
%wheel  ALL=(ALL)       ALL
%wheel  ALL=(ALL)       NOPASSWD: ALL

As I've tried couple of combination with sudoer & httpd.conf, the recent httpd.conf look something as follows;

my httpd.conf

User apache
Group wheel

my PHP script

exec("service network start", $a);
print_r($a);

exec("sudo -u root service network start", $a);
print_r($a);

Output

Array
(
    [0] => Bringing up loopback interface:  [FAILED]
    [1] => Bringing up interface eth0:  [FAILED]
    [2] => Bringing up interface eth0_1:  [FAILED]
    [3] => Bringing up interface eth1:  [FAILED]
)
Array
(
    [0] => Bringing up loopback interface:  [FAILED]
    [1] => Bringing up interface eth0:  [FAILED]
    [2] => Bringing up interface eth0_1:  [FAILED]
    [3] => Bringing up interface eth1:  [FAILED]
)

Without any surprise, when I invoke restart network services via ssh, using similar user like apache, the command successfully executes. Its all about accessing such commands via HTTP Protocol. I am sure cPanel/Plesk kind of software do use something like sudoer or something and what I am trying to do is basically possible. But I need your help to understand which piece I am missing?

Thanks a lot!

From serverfault ahmedshaikhm

  • You'll have to write those as PHP commandline driven tools (make sure the package php-cli is installed via yum), then run them in the root crontab directly, not as a normal user. You probably want to write it in basic bash (shell) script as well, using php would be overkill if you're just running commands via exec().

    womble : I think you've got that backwards.
    troyengel : Not really, or if I do I don't understand what he's trying to accomplish. I'd never let the network service to be restarted by any sudoer, that action would require a direct root crontab setup to keep my server safe. *shrug* I'm having a hard time imagining why you want apache/php to restart your interfaces.
    ahmedshaikhm : Thanks. Infact at the moment, I am not able to run the commands at all, no matter if I add apache in sudoers (%apache ALL=(ALL) NOPASSWD: ALL), restart apache or anything.
    ahmedshaikhm : the script will switch the Proxy IP Addresses, and the way they are setup is that they are bind at eth0 and eth0:1 is the main interface.
    ahmedshaikhm : Thanks for taking time to answer, I was trying to choose two answers as your and Matt Simmons's answer seems too fit according to my expertise, however I found that I can only select one answer. And I choose Matt Simmons's answer because it may be more clear to people who face similar issue. Thanks once again!
    From troyengel

  • You should invoke the commands you need to run as a different user using sudo -- then set the sudoers configuration file appropriately so that the user that runs the PHP script is allowed to run the scripts as the other user. See sudoers(5) and about a dozen previous questions regarding the use of sudo.

    ahmedshaikhm : I did follow them, but still no success. I know that apache wont let it configure to run as root root (until & unless CFTAG is set and service is compiled). But by any chance, do you think it could be due to the fact that I am posing apache user as root? apache ALL=(ALL) NOPASSWD: ALL
    womble : That should work OK. Update your question with these details and the errors that you get.
    ahmedshaikhm : Thanks for suggestion of adding more information to the question, it really brought good answers. 1+ point!
    From womble

  • If you take troyengel's solution of throwing an entry in the root cron table, then modify it a little, you might have a workable solution.

    If you absolutely, positively need to use apache to signal an interface restart, why not have PHP create a file that acts as a flag, and then have your root cronjob that runs every minute (or whatever) check for the existence of that flag. If it exists, restart the interfaces. If it doesn't, die. (remember to have the cronjob remove the flag after it successfully restarts the interface).

    This accomplishes the goal (restarting the interface, triggered from apache/php) and circumsteps all of the possible problems involved with granting a web / scripting service root level access.

    ahmedshaikhm : Thanks seems like being PHP Developer I got only this option, because other good answers from answerers require sys-admin knowledge to do that.
    troyengel : enhance this idea to help avoid a race condition -- the PHP that drops the flag actually creates a bash friendly file semaphore that has the date/time stamp (YYYMMDDHHMMSS) that the cron job checks; if the time is outside a given range of acceptability then the cron could delete it as stale and not act, as well as the PHP checking to see if there is already a semaphore that was dropped. Basically you can add a tiny bit of code to either end to keep from whacking yourself in the knees with stale drop files/semaphores on the filesystem.
    From Matt Simmons

  • Dows this answers your question?

    ahmedshaikhm : Thanks for the pointer. It looked like some sys-admin job to setup audit2allow, it seems difficult to me as a php-developer. Regards!
    From Mircea Vutcovici

  • you could use the sticky bit to make an shell script run as root. however, to do that is a little more involved.

    However, you can't just setuid on a shell script. You need to make a regular excecutable with say C/C++, something that doesn't call an interpreter like shell scripts do, and have that execute the shell script.

    ahmedshaikhm : Hi thanks for the answer but the thing is that I am PHP Developer and could not invest time as of now to write some C/C++ program to achieve my goal. Anyways, thanks for taking time to answer. Regards!
    From spatel

  • Hi All

    I'm still unable to get it, I have added apache user/group to sudoers, still it's unable to execute a few commands in my case I'm trying to execute "mount" command for mounting an ISO.

    Please suggest

    TIA Anish Sneh

    From Anish Sneh

  • Thanks all, got it

    -- Anish Sneh

    From Anish Sneh
Posted by Ku XI at 5:35 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)