PHP webpage doesn't launch unix command even after updated sudoers

Question

Hi everyone,

Basically I am trying to restart a service from a php web page.

Here is the code:

<?php
exec ('/usr/bin/sudo /etc/init.d/portmap restart');
?>

But, in /var/log/httpd/error_log, I get

unable to change to sudoers gid: Operation not permitted

and in /var/log/messages, I get

Sep 22 15:01:56 ri kernel: audit(1222063316.536:777): avc: denied { getattr } for pid=4851 comm="sh" name="var" dev=dm-0 ino=114241 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_t tclass=dir
Sep 22 15:01:56 ri kernel: audit(1222063316.549:778): avc: denied { setrlimit } for pid=4851 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=process
Sep 22 15:01:56 ri kernel: audit(1222063316.565:779): avc: denied { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
Sep 22 15:01:56 ri kernel: audit(1222063316.568:780): avc: denied { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
Sep 22 15:01:56 ri kernel: audit(1222063316.571:781): avc: denied { setgid } for pid=4851 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 22 15:01:56 ri kernel: audit(1222063316.574:782): avc: denied { setuid } for pid=4851 comm="sudo" capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 22 15:01:56 ri kernel: audit(1222063316.577:783): avc: denied { setgid } for pid=4851 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability

In my visudo, I added those lines

User_Alias WWW=apache

WWW ALL=(ALL) NOPASSWD:ALL

Can you please help me ? Am I doing something wrong ?

Thanks for your help,

tiBoun

Answer 1

The error you are getting seems to be related to your SELinux configuration. You might try temporarily disabling that.

As an aside, I would strongly suggest that you adjust your sudo configuration to be more restrictive.

User_Alias WWW=apache
Cmnd_Alias WEBCMDS=/etc/init.d/portmap
WWW ALL=NOPASSWD: WEBCMDS

Answer 2

This is probably down to something like trying to execute sudo in a non-interactive shell.

If you do a grep for 'sudo' in your apache users mail log you might find things like this

sudo: sorry, you must have a tty to run sudo

Answer 3

The problem is not with sudo at the moment, but with SELinux, which is (reasonably) set to deny the HTTPD from gaining root privileges.
You will need to either explicitly allow this (you can use audit2allow for this), or set SELinux to be permissive instead. I'd suggest the former.