tags:

views:

1191

answers:

3

Hi everyone,

Basically I am trying to restart a service from a php web page.

Here is the code:

<?php
exec ('/usr/bin/sudo /etc/init.d/portmap restart');
?>

But, in /var/log/httpd/error_log, I get

unable to change to sudoers gid: Operation not permitted

and in /var/log/messages, I get

Sep 22 15:01:56 ri kernel: audit(1222063316.536:777): avc: denied { getattr } for pid=4851 comm="sh" name="var" dev=dm-0 ino=114241 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_t tclass=dir
Sep 22 15:01:56 ri kernel: audit(1222063316.549:778): avc: denied { setrlimit } for pid=4851 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=process
Sep 22 15:01:56 ri kernel: audit(1222063316.565:779): avc: denied { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
Sep 22 15:01:56 ri kernel: audit(1222063316.568:780): avc: denied { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
Sep 22 15:01:56 ri kernel: audit(1222063316.571:781): avc: denied { setgid } for pid=4851 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 22 15:01:56 ri kernel: audit(1222063316.574:782): avc: denied { setuid } for pid=4851 comm="sudo" capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 22 15:01:56 ri kernel: audit(1222063316.577:783): avc: denied { setgid } for pid=4851 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability

In my visudo, I added those lines

User_Alias WWW=apache

WWW ALL=(ALL) NOPASSWD:ALL

Can you please help me ? Am I doing something wrong ?

Thanks for your help,

tiBoun

+3  A: 

The error you are getting seems to be related to your SELinux configuration. You might try temporarily disabling that.

As an aside, I would strongly suggest that you adjust your sudo configuration to be more restrictive.

User_Alias WWW=apache
Cmnd_Alias WEBCMDS=/etc/init.d/portmap
WWW ALL=NOPASSWD: WEBCMDS
Zoredache
Thanks for the advise, I am currently just testing, of course for security reason, I will slim down the available commands.Cheers ;DtiBoun
A: 

This is probably down to something like trying to execute sudo in a non-interactive shell.

If you do a grep for 'sudo' in your apache users mail log you might find things like this

sudo: sorry, you must have a tty to run sudo

flungabunga
+5  A: 

The problem is not with sudo at the moment, but with SELinux, which is (reasonably) set to deny the HTTPD from gaining root privileges.
You will need to either explicitly allow this (you can use audit2allow for this), or set SELinux to be permissive instead. I'd suggest the former.

Hasturkun
Thank you so much, it's working now !Just had to disable SELinux in /etc/selinux/config and change to SELINUX=disabled.Cheers,tiBoun
Use audit2allow, please.
Vinko Vrsalovic