I need to launch a command with sudo rights out of a php file (user: www-data), explicitly as user www-data:
<?php
$command = 'sudo -u www-data /usr/bin/python3 /var/www/html/script.py';
shell_exec($command);
?>
to be able to use sudo for www-data I want to put the command in sudoers (sudo visudo), like:
www-data ALL=NOPASSWD: sudo -u www-data /usr/bin/python3 /var/www/html/script.py
or
www-data ALL=NOPASSWD: -u www-data /usr/bin/python3 /var/www/html/script.py
but the syntax is wrong (error message from visudo).
The following is working with sudoers (correct syntax)
www-data ALL=NOPASSWD: /usr/bin/python3 /var/www/html/script.py
but doesn't work for my script (apache error in log file):
Sorry, user www-data is not allowed to execute '/usr/bin/python3 /var/www/html/script.py' as www-data on raspberrypi.
it seems it needs sudo -u www-data. How can I solve this?
It makes no sense to use sudo to allow www-data to run commands as www-data, but you can easily do so:
www-data ALL=(www-data) NOPASSWD: /usr/bin/python3 /var/www/html/script.py
The problem with your approaches was that you tried to add the command sudo -u www-data .. to sudoers, which corresponds to double-sudo sudo sudo -u www-data ..
Related
I have setup a linode to host few client's WordPress sites.
I added all sites to
var/www/html/site1.com/public_html<br>
var/www/html/site2.com/public_html<br>
var/www/html/site3.com/public_html<br>
and gave the www-data user permission:
sudo chown -R www-data:www-data /var/www/html/site1.com/public_html<br>
sudo chown -R www-data:www-data /var/www/html/site2.com/public_html<br>
sudo chown -R www-data:www-data /var/www/html/site3.com/public_html<br>
Now issue is PHP is able to write across all those folders which means if one site gets compromised , hacker will be able to access other sites public_html via PHP.
What is the best secure way to set this up ?
Step by step guide will help !! Thank you so much.
You have to create separate user for each website like site1, site2, site3
Then assign user and group for each website to get your expected security.
sudo chown -R site1:site1 /var/www/html/site1.com/public_html
sudo chown -R site2:site2 /var/www/html/site2.com/public_html
sudo chown -R site3:site3 /var/www/html/site3.com/public_html
Add user to www-data group so that you wordpreess can run regular operations such as update, delete, install...
sudo usermod -a -G www-data site1
sudo usermod -a -G www-data site3
sudo usermod -a -G www-data site3
We use open-shift, and the docker container only could be run as non-root user.
However, the cron failed start with error: seteuid: Operation not permitted
I have already done the following settings, the error is still there
chmod gu+rw /var/run
crontab -u my_user home/my_user/Base/cron.txt
usermod -a -G root,crontab my_user
How to avoid the error?
I use the following to solve the issue.
Hope could be the help to others
chmod gu+rw /var/run
chmod gu+s /usr/sbin/cron
# Optional
# chmod g+s, u-s /usr/bin/crontab
crontab -u my_user /home/my_user/cron.txt
I want to perform some actions on behalf of some non-login users, such as e.g. www-data or uwsgi. My purpose is to test some permissions, check what dirs they can modify etc etc.
Is there a recommended way of going about this, other than creating a shell and password for them and su ?
edit:
When I try to su to the specific user with sudo:
admin#ip-192-10-30-111:~$ sudo su www-data
This account is currently not available.
admin#ip-192-10-30-111:~$ cat /etc/passwd | grep -i www-data
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
admin#ip-192-10-30-111:~$
You don't need to create a shell and password for them, you can simply run su as root and use the --shell argument of su.
To run a bash shell as www-data run:
su --shell /bin/bash www-data
as root.
I am unable to create a directory using sudo priveleges from root user and If I login to user , I can create an directory under /root using sudo. Also I have added to allow all commands in /etc/sudoers file and the details are below:
[root#linux home]# cat /etc/sudoers | grep tes
test ALL= NOPASSWD: ALL
Error
[root#linux home]# sudo -u test mkdir /var/log/test3
mkdir: cannot create directory ‘/var/log/test3’: Permission denied
Any Ideas ?
Thanks
By running 'sudo -u test', you're giving yourself lower privileges than the roor user because you're running the command as the user 'test', not 'root'. From the root user, you can just run:
mkdir /var/log/test3
Read man sudo for more info.
Or:
Run visudo and uncomment the wheel group, then add the user test to the wheel group.
If you don't mind me asking, why do you need to create a directory as a certain user from the root user? Especially since the directory you're making will not be user specific?
Also, in the sudoers file , you should what added test ALL=(ALL) NOPASSWD: ALL, not test ALL= NOPASSWD: ALL
On ubuntu 10.04.4 server, I did this:
sudo mkdir -p /data/somedir
sudo chown -R www-data.www-data /data/somedir
sudo chmod -R g+w /data/somedir
sudo usermod -a -G www-data john ##john is current login user.
. With these operations done, I suppose to have write permission in /data/somedir. But when I did this:
echo "123" > /data/somedir/123
, I got:
-bash: /data/somedir/123: Permission denied
The ls -l output:
$ ls -l /data/
total 4
drwxrwxr-x 2 www-data www-data 4096 2012-04-24 22:30 somedir
Question is: why? Is there something I still need to do after that?
Changes made with usermod only take effect on following logins; your existing login session does not yet have the www-data group, as you can verify with id. It is not easy to alter the identity of running processes (newgrp might work); the easiest way to deal is to log out and back in.