| View previous topic :: View next topic |
| Author |
Message |
Corona688
Veteran
Joined: 10 Jan 2004
Posts: 1204
|
 Posted: Tue Aug 28, 2007 5:44 pm Post subject: [SOLVED] sudo messing up royally |
 |
|
I was led to believe the following line(in /etc/sudoers, edited with visudo) would allow the user 'tyler' to run the given script as the user 'reminder'. It does allow 'tyler' to run it, but runs it as root! Why? | Code: | | tyler ALL = (reminder) NOPASSWD: /home/reminder/gen-reminders.sh |
Also, it works for ordinary users like 'tyler', but fails when I change it to 'apache' or '%apache' and try and run it from a PHP script. Why?
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html
Last edited by Corona688 on Tue Aug 28, 2007 8:45 pm; edited 1 time in total |
|
| Back to top |
|
 |
Corona688
Veteran
Joined: 10 Jan 2004
Posts: 1204
|
|
| Back to top |
|
|
Sadako
Advocate
Joined: 05 Aug 2004
Posts: 3792
Location: sleeping in the bathtub
|
| Posted: Tue Aug 28, 2007 6:49 pm Post subject: |
|
|
Isn't that exactly what sudo is supposed to do, run something as root?
You have to be a member of the wheel group in order to use su, so maybe the same applies to sudo, or perhaps it has the it's own group?
Try adding apache to the wheel group, and see if it works then.
_________________
"You have to invite me in" |
|
| Back to top |
|
|
tarpman
Veteran
Joined: 04 Nov 2004
Posts: 1083
Location: Victoria, BC, Canada
|
| Posted: Tue Aug 28, 2007 7:34 pm Post subject: |
|
|
No, sudo is supposed to run something as another user. By default that user is root, but it's configurable. Same with who is allowed to use it. And under no circumstances should a service account like apache be placed in a group that could conceivably place it closer to root privileges. The OP's configuration looks right...
OP, have you tried invoking it as sudo -u reminder ~reminder/gen-reminders.sh? I don't know why it's letting you run as root - it shouldn't be as far as I can tell - but at least using -u should let it run as reminder.
_________________
Saving the world, one kilobyte at a time. |
|
| Back to top |
|
|
Corona688
Veteran
Joined: 10 Jan 2004
Posts: 1204
|
| Posted: Tue Aug 28, 2007 8:45 pm Post subject: |
|
|
Yes, that did it.
It was running it as root because of a previous line in sudoers, that gave permission to those in the wheel group. Since it came first, it took precedence. It was failing to run when apache called it because for some reason it assumed root instead of the only possible user for it...
_________________
Petition for Better 64-bit ATI Drivers - Sign Here
http://www.petitiononline.com/atipet/petition.html |
|
| Back to top |
|
|
|
Networking & Security
