8

I have a webserver that also plays internet radio. As www-data user I want to run some commands, for example I've made this in /etc/sudoers file:

www-data        ALL=(ALL) NOPASSWD: /usr/bin/amixer

And form PHP I can manipulate volume without using password by:

exec('sudo -u user amixer set Master 3%-');

And:

exec('sudo -u user amixer set Master 3%+');

But now I want to be able to restart my own service by runing command:

exec('sudo -u user service servicename restart');

So I tried:

www-data        ALL=(ALL) NOPASSWD: /usr/bin/amixer, NOPASSWD: /bin/service

And this:

www-data        ALL=(ALL) NOPASSWD: /usr/bin/amixer, /bin/service

And even this:

www-data        ALL=(ALL) NOPASSWD: /usr/bin/amixer
www-data        ALL=(ALL) NOPASSWD: /bin/service

But none of them seems to be working. Please help me out.

Sorry guys - my mistake. I've done some changes, tried to link form /sbin to /bin

Now I have changed it to:

www-data        ALL=(ALL) NOPASSWD: /usr/bin/amixer, NOPASSWD: /usr/sbin/service

And it works! Thanks! Topic closed.

totti
  • 872
  • 7
  • 12
  • 1
    `service servicename restart` doesn't seem to be the same as `/bin/service` is guess. you could try to put the restart call in a shell script and then allow sudo to call that script. – twall Aug 22 '12 at 11:32
  • You can find where binaries are using the `which` command in a shell. In this case `which service` will tell you where it is - at a guess it'll be in `/sbin` rather than `/bin`. – Mathew Hall Aug 22 '12 at 11:39
  • @Peter if the question is closed, you should click "close" below the question… – feeela Aug 22 '12 at 12:33
  • Feeela thanks but I see only "share", "edit", "delete" and "flag". Can't see "close" button –  Aug 22 '12 at 12:55
  • @Feela: close votes on own questions require 250+ reputation. –  Aug 22 '12 at 16:58

2 Answers2

6

Careful with your solution: you can start, stop or restart any service that way!

Better create a shell script that runs this command:

echo "#!/bin/sh' > /usr/bin/amixer_restart
echo "sudo -u user service amixer restart' >> /usr/bin/amixer_restart

Grant adequate permissions (550 mean root and group www-data can read and execute, nobody can write)

sudo chown root:www-data /usr/bin/amixer_restart
sudo chmod 550 /usr/bin/amixer_restart

And allow apache to sudo on this script:

www-data        ALL=(ALL) NOPASSWD: /usr/bin/amixer_restart
Calimo
  • 1,385
  • 13
  • 18
1

This is what I ended up doing:

  1. Install apache2 by running sudo apt-get install apache2
  2. Make sure apache is allowed to run cgi scripts by running sudo a2enmod cgi
  3. Restart apache sudo service apache2 restart

  4. Verify that I can run bash scripts by creating the following script at /usr/lib/cgi-bin/test.sh

    #!/bin/bash

# get today's date
OUTPUT="$(date)"
USR=$(whoami)

# headers
echo "Content-type: text/plain"
echo ""

# body
echo "Today is $OUTPUT"
echo "Current user is $USR"

  5. make the script executable chmod +x /usr/lib/cgi-bin/test.sh

  6. Verify I am able to execute the script curl localhost/cgi-bin/test.sh I get back the following response:

     Today is Wed Sep  6 12:19:34 PDT 2017 
 Current user is www-data

  7. Because the user is www-data I then add that user as a sudoer. I then modify the file /etc/sudoers by adding this line at the end:

    www-data ALL=(ALL) NOPASSWD: ALL

  8. Now that user is supposed to have root privileges. Then I modify my test.sh script as:

    #!/bin/bash

# get today's date
OUTPUT="$(date)"
USR=$(sudo whoami)

  9. Then you should see the following response when executing a get request agains localhost/cgi-bin/test.sh:

    Today is Wed Sep  6 12:28:38 PDT 2017
Current user is root
Tono Nam
  • 809
  • 3
  • 13
  • 27