I'll take the bait...
No, you most certainly shouldn't do this at all. Adjusting the defaults
to sudoers is a big no no.
Whatever it is you are doing, the need to become root is far different
than Ken's example of becoming Ken.
The reason that you can't make this work properly has everything to do
with 'REAL' tty sessions, which you aren't going to have.
Root cannot be allowed to be running around without a properly bound
TTY; for various Auditing reasons.
However, in the spirit of this list:
Defaults:root !requiretty
Defaults:nobody !requiretty
Play VERY carefully.
-Ed
Kenneth Dombrowski wrote:
On 09-07-30 17:05 -0400, Ajai Khattri wrote:
Most probably your PHP script will be running under the same username as
Apache (i.e. www or nobody) so sudo wouldn't work anyway. (And you
wouldn't want to give www or nobody sudo privilege anyway!).
All this talk about sudo not working made me curious -- why shouldn't it
work? It will, and a well configured sudo offers a very fine level of
control -- though whether one wants to do it is another question
# visudo
Defaults:www-data !lecture
Defaults:www-data !authenticate
www-data ALL = (kenneth) /usr/bin/touch /tmp/sudoer.apache
The first two lines get rid of sudo's usual prompts, since it will never
run interactively, & the last specifies a single command + argument
www-data is allowed to run as kenneth (you can use shell-style globs)
# sudo.php
<?php
header('Content-type: text/plain');
$f = '/tmp/sudoer.apache';
system("sudo -u kenneth /usr/bin/touch $f");
print "\n$f exists? " . (bool) file_exists($f);
kenn...@gilgamesh:~$ elinks --dump http://localhost/tmp/sudo.php
/tmp/sudoer.apache exists? 1
kenn...@gilgamesh:~$ ls -l /tmp/sudoer.apache
-rw-r--r-- 1 kenneth kenneth 0 2009-07-30 19:52 /tmp/sudoer.apache
So on debian, www-data successfully created a file as kenneth. On FreeBSD
I think www/nobody/whatever has a /bin/false shell, so there it won't
work. Of course, you shouldn't do it on shared hosts, and I'm sure
somebody will tell me you shouldn't do it at all, but its not due to a
technical limitation
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
--
<img src="http://covenantedesign.com/logo.jpg"; border ="0">
995 Maple Hill Road
Castleton, New York 12033
518-331-5061
[email protected]
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
![http://covenantedesign.com/logo.jpg"](http://covenantedesign.com/logo.jpg"){kind=link}