Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: add www user into sudoers list and service command

  1. #1
    Join Date
    Aug 2009
    Location
    botswana
    Beans
    26
    Distro
    Ubuntu 9.10 Karmic Koala

    add www user into sudoers list and service command

    Hi, i am developing a little web page that gives statistical information from a service. Its web page is for an application called Airtime .
    In order to acquire the information from the CLI, i have to run the command "
    Code:
    sudo service airtime-media-monitor status
    ". and provide my root password

    I however did manage to manually add the "www-data" user ( the account apache is using) using the "visudo"
    by adding

    Code:
    www-data localhost=nopasswd: /usr/bin/service
    i wanted to write a script to automate the above process, i also wanted the www user to have access to only the "airtime-media-monitor " with the "status" option only and not the whole service command.

    So the question how do i add the one service and switch only ?
    Last edited by charm_quark; April 7th, 2013 at 09:58 AM.

  2. #2
    Join Date
    Feb 2005
    Location
    Melbourne, Australia
    Beans
    13,510
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: add www user into sudoers list and service command

    Allows the Apache account sudo rights is a crazy security breach. It will allow your whole system to be controlled be someone who manages to hack your web server.
    Regards, David.
    Please use the Forum search and Wiki search for immediate help
    Please mark your thread as Solved when appropriate
    New to technical forums?: How To Ask Questions The Smart Way

  3. #3
    Join Date
    Jul 2011
    Location
    South-Africa
    Beans
    678
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: add www user into sudoers list and service command

    Hay,

    +1 For the post about security!!!!

    I would rather recommend the following, adding the command to the no password require section of the sudo list:
    See here for details:
    http://askubuntu.com/questions/15900...out-a-password

    down vote
    accepted Use the NOPASSWD directive

    You can use the NOPASSWD directive in your /etc/sudoers file.

    If your user is called user and your host is called host you could add these lines to /etc/sudoers:
    user host = (root) NOPASSWD: /sbin/shutdown
    user host = (root) NOPASSWD: /sbin/reboot

    This will allow the user user to run the desired commands on host without entering a password. All other sudoed commands will still require a password.

    Note! Use the command visudo to edit the sudoers file to make sure you do not lock yourself out of the system – just in case you accidentally write something incorrect to the sudoers file.
    Please remember this is VERY dangerous and you should rather go about it in another way.

    May I suggest running a timed script to redirect the output of the command to a file, and read the file from the webpage. If you are just "monitoring" (aka you are not interacting with) the above command, such a route will be much safer!.

    Regards
    Switched away from windows XP to Ubuntu 9.04. Never turned around to look back.

  4. #4
    Join Date
    Aug 2009
    Location
    botswana
    Beans
    26
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: add www user into sudoers list and service command

    Quote Originally Posted by dcstar View Post
    Allows the Apache account sudo rights is a crazy security breach. It will allow your whole system to be controlled be someone who manages to hack your web server.
    that is why i wanted to give "www" access to only one service and one switch, without giving access to the rest of the commands, is that still a security hole ?

    Quote Originally Posted by zero2xiii View Post
    Hay,

    +1 For the post about security!!!!

    I would rather recommend the following, adding the command to the no password require section of the sudo list:
    See here for details:
    http://askubuntu.com/questions/15900...out-a-password



    Please remember this is VERY dangerous and you should rather go about it in another way.

    May I suggest running a timed script to redirect the output of the command to a file, and read the file from the webpage. If you are just "monitoring" (aka you are not interacting with) the above command, such a route will be much safer!.

    Regards
    well, yes i am just monitoring the application and i can write a script instead, the problem still lies that I must sudo to get the information.

  5. #5
    Join Date
    Apr 2008
    Location
    LOCATION=/dev/random
    Beans
    5,767
    Distro
    Ubuntu Development Release

    Re: add www user into sudoers list and service command

    If you change the line that you added to your sudoers file to read...
    Code:
    www-data LOCALHOST=NOPASSWD: /usr/bin/service airtime-media-monitor status
    Then the www-data user will only be able to run the command 'sudo service airtime-media-monitor status' without being prompted for a passwd.

    However, I don't believe that you even need to do this as the 'service status' command shouldn't even need to be run as sudo.
    You need to use sudo with the service command if you are trying to start or stop a service, but just to get a status you can run the command as a normal user...
    Code:
    rob@raring:~$ service mysql status
    mysql start/running, process 26425
    rob@raring:~$
    Cheesemill

  6. #6
    Join Date
    Aug 2009
    Location
    botswana
    Beans
    26
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: add www user into sudoers list and service command

    Unfortunately, it does not run without "sudo", i'm assuming that is because it gets other information from different services, the memory/processor usage, log information, etc.

    thanks
    Last edited by charm_quark; April 7th, 2013 at 01:06 PM.

  7. #7
    Join Date
    Dec 2009
    Location
    germany
    Beans
    1,020
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: add www user into sudoers list and service command

    hi
    if you ain't want to call your command without sudo.
    follow the instructions of cheesmill and then:
    alias service='sudo /usr/bin/service'
    try: type service ---> service ist ein Alias von `sudo /usr/bin/service'
    and you get rid of your sudo
    ciao
    "What is the robbing of a bank compared to the FOUNDING of a bank?" Berthold Brecht

  8. #8
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    12,966
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: add www user into sudoers list and service command

    Quote Originally Posted by zero2xiii View Post
    May I suggest running a timed script to redirect the output of the command to a file, and read the file from the webpage. If you are just "monitoring" (aka you are not interacting with) the above command, such a route will be much safer!.
    +100 for this method

    Create an entry in root's crontab that runs the command and directs the output to a file in /var/www. (Use "sudo crontab -e" for this task. If you have a preferred editor like nano, type the command "export EDITOR=nano" before running crontab.) Do not give the Apache server process root privileges especially if this is a machine that is visible over the Internet.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  9. #9
    Join Date
    Aug 2009
    Location
    botswana
    Beans
    26
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: add www user into sudoers list and service command

    @SeijiSensei :

    well i cant put it in the contrab, as the information is on request bases, so if i put it in the contrab, the information might be a little old (I'm building an API) .. that is why i having the debate of how best to solve the problem, of giving access or not to www .. or if there is another way in php may be......


    @rnerwein:

    , the problem is not with the typing of sudo, as it will be part of either the script or php code that will run on calling it but how to call it, the thing is i want to have as little as possible alteration of the system.

  10. #10
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    12,966
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: add www user into sudoers list and service command

    Why cannot it be a little old? How old is "old"? Crontab scripts run can run as often as once per minute; isn't that frequently enough?
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •