Thank you. Michele
> -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of CED > Sent: Friday, July 31, 2009 8:39 PM > To: NYPHP Talk > Subject: Re: [nyphp-talk] SSH2_CONNECT > > > I'll take the bait... > > No, you most certainly shouldn't do this at all. Adjusting the defaults > to sudoers is a big no no. > > Whatever it is you are doing, the need to become root is far different > than Ken's example of becoming Ken. > > The reason that you can't make this work properly has everything to do > with 'REAL' tty sessions, which you aren't going to have. > > Root cannot be allowed to be running around without a properly bound > TTY; for various Auditing reasons. > > However, in the spirit of this list: > > Defaults:root !requiretty > Defaults:nobody !requiretty > > Play VERY carefully. > > -Ed > > > Kenneth Dombrowski wrote: > > On 09-07-30 17:05 -0400, Ajai Khattri wrote: > > > >> Most probably your PHP script will be running under the same username > as > >> Apache (i.e. www or nobody) so sudo wouldn't work anyway. (And you > >> wouldn't want to give www or nobody sudo privilege anyway!). > >> > > > > All this talk about sudo not working made me curious -- why shouldn't it > > work? It will, and a well configured sudo offers a very fine level of > > control -- though whether one wants to do it is another question > > > > # visudo > > Defaults:www-data !lecture > > Defaults:www-data !authenticate > > www-data ALL = (kenneth) /usr/bin/touch /tmp/sudoer.apache > > > > The first two lines get rid of sudo's usual prompts, since it will never > > run interactively, & the last specifies a single command + argument > > www-data is allowed to run as kenneth (you can use shell-style globs) > > > > # sudo.php > > <?php > > header('Content-type: text/plain'); > > $f = '/tmp/sudoer.apache'; > > system("sudo -u kenneth /usr/bin/touch $f"); > > print "\n$f exists? " . (bool) file_exists($f); > > > > kenn...@gilgamesh:~$ elinks --dump http://localhost/tmp/sudo.php > > /tmp/sudoer.apache exists? 1 > > kenn...@gilgamesh:~$ ls -l /tmp/sudoer.apache > > -rw-r--r-- 1 kenneth kenneth 0 2009-07-30 19:52 /tmp/sudoer.apache > > > > So on debian, www-data successfully created a file as kenneth. On > FreeBSD > > I think www/nobody/whatever has a /bin/false shell, so there it won't > > work. Of course, you shouldn't do it on shared hosts, and I'm sure > > somebody will tell me you shouldn't do it at all, but its not due to a > > technical limitation > > > > > > _______________________________________________ > > New York PHP User Group Community Talk Mailing List > > http://lists.nyphp.org/mailman/listinfo/talk > > > > http://www.nyphp.org/show_participation.php > > > > > > > > > > > -- > <img src="http://covenantedesign.com/logo.jpg"; border ="0"> > 995 Maple Hill Road > Castleton, New York 12033 > 518-331-5061 > [email protected] > > > _______________________________________________ > New York PHP User Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/show_participation.php _______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php
![http://covenantedesign.com/logo.jpg"](http://covenantedesign.com/logo.jpg"){kind=link}