Hi I'm using the shell_exec command from a PHP script:
$output = shell_exec('ls -l');
print_r($output);
Terminal: php test.php
Which results in the directory listing as expected.
Switch to my browser I get no output.
I need to grant privileges to the user 'apache' so that it can execute certain commands, or add the user to a group with such privileges. I know how to add users to groups etc, I was just wondering what the best practice method is of granting such privileges to the apache user.
This took me a while to figure out so it may be of benefit to others.
The problem was that I was trying to give the apache user privileges in /etc/sudoers and SELinux was (quite rightly) denying them.
So I quickly disabled SELinux for httpd and all was working.
This is far from an ideal situation though for a public web server.
As for best practices audit2allow should be used to set permissive operations.
If you execute ls -Z in the desired directory, you will see which the SELinux permissions for that directory.
To allow the httpd/apache daemon to access that directory you can execute (the -R option is for make it recursive):
chcon -Rv --type=httpd_sys_content_t /desired/path
Hope it helps.
Related
Is it possible avoid sudo word while executing the higher privileged commands to a non-root user via a sudo policy such non-root users should not be able to know that he is executing higher privileged commands and also the usage of sudo might be complex.
Example:
Normal Execution of Sudo Command.
$ sudo -u root /usr/bin/tcpdump
non-root users should execute tcpdump like below.
$ tcpdump
Thanks in advance.
Note: I have defined a Sudo Policy for non-root users. So, when a non-root user executes tcpdump, in the backend it should execute as
sudo -u root tcpdump.
Yes. It is possible.
You should:
1- Create a new specific new group where some users would belong:
groupadd nonroot
2- Add your privileged users to that group:
2.1- Edit /etc/group:
vim /etc/group
2.2- Find the line of new created group. It should look like that:
nonroot:x:127:
2.3- At the end, add your privilaged users:
nonroot:x:127:user1,user2
3- Change the group of your binary:
chgrp nonroot /usr/bin/tcpdump
4- Give group execution permissions to the binary:
chmod g+x /usr/bin/tcpdump
You have to have in count that if the binary reads, writes or executes files which user1 has no permissions, you'll have modify them in the same way.
If you cannot change the group of the binary, check the right answer of post bellow, which is a similar way:
Allow users of a certain group to run a command without sudo
Hope it helps.
NOTE: Commands may differ between different linux/unix distros.
I can see at least two possibilities:
Wrap it in a script (an alias is also possible, but if users can use different shells or just start them manually, it can turn into a maintenence hell)
Set the suid bit on tcpdump, but that means everyone who can invoke tcpdump always does so as the owner.
You might want to explore using sudoers file.
Using CentOS as an example (should be similar for Debian), create a file within sudoers.d with the relevant name, e.g. tcpdump and include the following:
user ALL=NOPASSWD: /usr/bin/tcpdump command
Replace the user and command to suit your purpose. You can find out more here.
This coupled with a alias tcpdump='sudo tcpdump for the user should fit your use case.
I have a script that runs iftop in text mode, cuts down the output to what I'm concerned in, and saves it to a text file along with the output of the date command (I am monitoring network usage on various interfaces over time). Only problem I'm having is I'm trying to run my script every 15 minutes via the crontab, and in order to run the iftop command I need sudo permissions. Does anyone know some way to change the permissions of iftop to make it so I don't need sudo permissions?
Alternatively if I can give the script the ability to run the command with sudo that would be fine by me as well. I tried adding the script to the sudoers file via sudo visudo and adding the line:
user ALL=(ALL) NOPASSWD: /home/user/network_usage.sh
but that didn't work...perhaps a result of executing from the crontab?
Thanks,
-Eric
A more granular approach would be to use:
# setcap cap_net_raw=eip $(which iftop)
This lets iftop capture packets but does not give the process full root privileges. In case of a security problem or bug with "iftop" its side effects would be much more limited.
Related: https://unix.stackexchange.com/questions/189750/how-can-i-run-script-without-root-to-sniff-network-libpcap
If you have root access on the machine the quick and dirty way:
chmod +s $(which iftop)
This will make it run w/ root privileges no matter who invokes it.
But I still think your sudo like should work.
You may use root's crontab to run the script.
If instead of crontab -e you use sudo crontab -e you will edit root's crontab. Tasks specified in that file will run under root's account and privileges.
Alternatively, you can set the setuid access flag for your script file. To do so first change the owner of the file to root, then enable setuid like this:
sudo chown root /home/user/network_usage.sh
sudo chmod +s-w /home/user/network_usage.sh
The setuid bit makes an executable file run with the effective UID of its owner.
Regardless of what approach you take, be very careful.
Make your script owned by root and don't let any other user write to it, otherwise it could ease a privilege escalation.
Be aware of the side effects of your setuid programs. If the script has setuid and may create or modify files, it might be used by someone else to modify or create files they aren't supposed to. Always check the manual before giving setuid to any program you haven't written.
My Apache directory for storing files is /var/www.
If i run,
sudo chown -R www-data:www-data /var/www
This makes the www-data the owner of the www folder. Since all static/dynamic files will be served by the Apache User, why do i now need to give this folder 755 permissions? It should just work with giving 700 permissions, right? Since with 700 permissions, the owner(www-data) has full permissions for the folder.
Therefore, my question, why do i need to run:
sudo chmod -R 755 /var/www
instead of
sudo chmod -R 700 /var/www
EDIT: I am not facing any error. I am only asking this question for knowledge. I have been suggested to put 755 permission on the /var/www/ folder by a lot of people. Just wanted to know why couldn't i use 700.
The best layout depends on a few factors. Primarily this is a question of security. Here are a few things to consider:
1) Do you want your web server to be able to write files to your DocumentRoot? Most of the time the answer is no... the exception being things like upload directories. In this case you want something like 755, where the owner/group is not the user that Apache is running as.
2) Do you have local user accounts (like developers) that should be able to access the content? If yes, you might want something like 755, root:developers for permissions, with Apache running as "www-data" or "apache", and not in the group (subject to #1 above).
3) Do those devs need to be able to edit the content (do a code push)? In that case, perhaps 775 root:developers is better.
The primary problem with 700 is that it requires the owner to be the user that Apache is running as, and that gives it full permissions to modify any file in the DocumentRoot. This is usually considered a security weakness because generally speaking the web server should not be modifying files in the DocumentRoot apart from pretty specific exceptions.
A common exploitation, is for an attacker to trick your web app into uploading something like a malicious PHP script somewhere into the DocumentRoot, and then visiting that page. One of the countermeasures is to disallow Apache from writing to the DocumentRoot via this sort of filesystem permissions.
I followed this link to change group/user permission to add my self to www-data group
but I am still unable to edit contents in /var/www , specially with uploaded content.
This is my development environments , I dont want to go to chmod /var/www/ each time there is an upload.
While keeping contents under /var/www what are the steps to change /var/www directory permissions to able to edit contents directly from and an IDE
My login account user and group name is debianaut:
groups www-data
www-data : www-data debianaut
groups debianaut
debianaut : debianaut www-data
I login/out after making these changes. It seems straight forward that if I am user of cretain group I should get whatever permissions they hold .
please help resolve this issue
I suspect your issue is the fact that the user account has more than one group, and the default group is not the one with write permission to that folder.
While Linux allows your user access to multiple groups, it does not provide access to all of them at once. Here are some options to address this:
Change the group used while running in a shell
Change the user's default logon group
Use ACLs
New Group in a Shell
In order to operate as a different user after starting a shell, use newgrp.
Change default Group
In order to change the user's default group, edit /etc/passwd, or use a command to do the job (not sure which command, and it probably differs from distribution to distribution).
ACLs
You will likely prefer to use ACLs. See the man pages for setfacl and getfacl. ACLs (access control lists) are expanded permissions. Not all Linux systems support them, but I would be surprised if your Debian system doesn't. The following should add read-write-execute permission for user debianaut to all of /var/www:
setfacl -R -m u:debianaut:rwx /var/www
By the way - you can check the group id of a running process (such as your IDE), use ps -o gid -p <pid>.
Inheriting ACLs
Following the post here lead to the answer for inheriting ACLs.
The answer is called default ACLs in the man page. The following will set the ACL for denianaut as the default for files created in /var/www:
setfacl -R -d -m u:debianaut:rwx /var/www
I think you should change your umask to 0002:
umask 0002
This could also be useful.
For me the problem has to do with joomla configuration. You need to change the default permissions for uploaded files. This link may help you: http://forum.joomla.org/viewtopic.php?t=286584
There are two relatively simple options, none of them should involve www-data -- you don't want the webserver to have unnecessary write access to your contents.
1) Just take ownershop of /var/www for your userid that will edit the files.
2) Establish a new group, make it one of your secondary groups, and make /var/www group-writable + setgid (chmod g+s) that new group. New files in the setgid dir will have their group set to the shared group.
in Linux:
I want to limited user only can do sudo on specify path.
sudo chmod works on /home/Krome/revA
but sudo chmod failed on /home/Krome
Thanks!
Restricting a user or process to a certain path can be done with chroot - the problem here is that after the chroot the commands in $PATH and dynamically loaded objects would no longer be accessible, so you'd need a statically linked shell which executes the chroot as well as the built-in commands that the user shall be able to issue.
I don't think it possible, and am pretty sure it's not reasonable.
chmod would work inside /home/Krome if it's the user's home folder.
I think you need a regular user (without sudo), and everything else can be managed by adding that user to groups and sharing some folders to those groups.
Add to /etc/sudoers something like the following line:
%users ALL = NOPASSWD: /bin/chmod [ugoa][-+=][rwxXst] /home/Krome/*
It basically says that all group users members can invoke sudo chmod in symbolic mode on anything under /home/Krome/ path.
See man sudo for more details.