PHP webpage doesn't launch unix command even after updated sudoers
Question
Basically I am trying to restart a service from a php web page.
Here is the code:
<?php
exec ('/usr/bin/sudo /etc/init.d/portmap restart');
?>
But, in /var/log/httpd/error_log
, I get
unable to change to sudoers gid: Operation not permitted
and in /var/log/messages, I get
Sep 22 15:01:56 ri kernel: audit(1222063316.536:777): avc: denied { getattr } for pid=4851 comm="sh" name="var" dev=dm-0 ino=114241 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_t tclass=dir
Sep 22 15:01:56 ri kernel: audit(1222063316.549:778): avc: denied { setrlimit } for pid=4851 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=process
Sep 22 15:01:56 ri kernel: audit(1222063316.565:779): avc: denied { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
Sep 22 15:01:56 ri kernel: audit(1222063316.568:780): avc: denied { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
Sep 22 15:01:56 ri kernel: audit(1222063316.571:781): avc: denied { setgid } for pid=4851 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 22 15:01:56 ri kernel: audit(1222063316.574:782): avc: denied { setuid } for pid=4851 comm="sudo" capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 22 15:01:56 ri kernel: audit(1222063316.577:783): avc: denied { setgid } for pid=4851 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
In my visudo, I added those lines
User_Alias WWW=apache
WWW ALL=(ALL) NOPASSWD:ALL
Can you please help me ? Am I doing something wrong ?
Thanks for your help,
tiBoun
Solution
The problem is not with sudo at the moment, but with SELinux, which is (reasonably) set to deny the HTTPD from gaining root privileges.
You will need to either explicitly allow this (you can use audit2allow for this), or set SELinux to be permissive instead. I'd suggest the former.
OTHER TIPS
The error you are getting seems to be related to your SELinux configuration. You might try temporarily disabling that.
As an aside, I would strongly suggest that you adjust your sudo configuration to be more restrictive.
User_Alias WWW=apache
Cmnd_Alias WEBCMDS=/etc/init.d/portmap
WWW ALL=NOPASSWD: WEBCMDS
I encountered the problem recently and the accepted answer above helped. However, I would like to post this answer to elaborate the same, so that the next person does not need to spend time much, like me!
Follow section 7 of the following link: https://wiki.centos.org/HowTos/SELinux.
Do grep with httpd_sys_script_t
.
Basically the steps are:
# grep httpd_sys_script_t /var/log/audit/audit.log | audit2allow -M httpdallowsudo
# semodule -i httpdallowsudo.pp
This is probably down to something like trying to execute sudo in a non-interactive shell.
If you do a grep for 'sudo' in your apache users mail log you might find things like this
sudo: sorry, you must have a tty to run sudo