Claude M. Schrader on 14 Jan 2010 05:55:13 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Running Apache CGI scripts as root?

On 11:10 Wed 13 Jan     , Mike Sheinberg wrote:
>    So, I'm trying to solve an issue at my work where I need particular CGI
>    scripts to have root access to a number of binaries. I have been messing
>    with the sudoers file to try to grant this access to the particular
>    binaries in question without requiring a password but since the 'apache'
>    account has no shell (apache:x:48:48:Apache:/var/www:/sbin/nologin)� I get
>    the following error:
>    [error] [client] sorry, you must have a tty to run sudo,
>    referer: [1]
>    After some searching some people seemed to recommend trying the apache
>    module 'suexec' but it seemed a bit fishy to me so I thought I'd ask good
>    ol' PLUG for some best practices advice on solving this issue. I'd also
>    like to keep the
>  Defaults    requiretty
>    setting in the /etc/sudoers file if possible (due to security concerns).
>    Thanks!
>    Mike

Its possible SUExec will do what you want. It was kind of designed to do
the opposite, secure scripts rather than de-secure them, but I think if
you bang on it enough you may be able to get it to run scripts as root.

Alternately, maybe giving apache (the user) a shell like rssh[1] will allow it to
execute the scripts through sudo without opening it up too much?

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --