如何对其他用户进行sudo或su作为www-data
[英]How to sudo or su to other user as www-data
问题描述
I am trying to set up a webpage that runs scripts. 
我试图建立一个运行脚本的网页。 The thing is, these scripts must be run using another user. 事实是,这些脚本必须使用其他用户运行。 It is not a permissions issue, I can physically run the scripts as www-data but the scripts rely on a whole framework and environment variables set by the user. 这不是权限问题,我可以将脚本实际作为www-data运行,但是脚本依赖于用户设置的整个框架和环境变量。
I am hoping to sudo or su to the user and run the scripts after. 我希望对用户使用sudo或su并在之后运行脚本。
The webpage calls a php file that runs: 该网页会调用一个运行的php文件:
$cmd1 = "sudo login -f otheruser";
$cmd2 = "whoami";
echo exec(escapeshellcmd($cmd1), $output, $status);
foreach($output as $line) echo "$line\n";
echo exec(escapeshellcmd($cmd2), $output, $status);
foreach($output as $line) echo "$line\n";
I have tried using both "sudo login -f otheruser" and "su - otheruser" and I set it so logins from www-data to otheruser don't require a password (/etc/pam.d/su) 我尝试同时使用“ sudo login -f otheruser”和“ su-otheruser”,并且进行了设置,因此从www-data登录到otheruser不需要密码(/etc/pam.d/su)
The first command returns nothing, the second one returns: www-data so evidently it is not logging into the otheruser. 第一个命令什么都不返回,第二个命令返回:www-data,因此显然它没有登录到另一个用户。
Any ideas on how this can be done, or alternatives of how I can run scripts as another user? 关于如何完成此操作的任何想法,或者如何以其他用户身份运行脚本的替代方法?
1 个解决方案
解决方案1
0 2018-11-01 23:56:53
EDIT: So after looking at this some more, it's because of a number of things. 编辑:所以在看了更多之后,这是由于许多原因。
First off, let me say that there is most likely a better solution than giving Apache HTTPD sudoers access. 首先,让我说,最有可能的解决方案是给Apache HTTPD sudoers访问权限。
Secondly, I'm going to make some assumptions that you're using some flavor of Ubuntu if your user is www-data . 其次,如果用户是www-data ,那么我将假设您使用的是某些Ubuntu版本。
So here's how to make it work... The first place I looked was the log files. 因此,这是使它工作的方法。我首先看的是日志文件。 journalctl -u apache2 -f to tail the httpd log file. journalctl -u apache2 -f httpd日志文件。 You'll see a lot of entries like this: 您会看到很多这样的条目:
Nov 02 15:27:17 ubuntu sudo[23541]: pam_unix(sudo:auth): conversation failed
Nov 02 15:27:17 ubuntu sudo[23541]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Nov 02 15:27:17 ubuntu sudo[23541]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/html ; USER=postgres ; COMMAND=/var/www/html/test2.sh
So let's first create a couple of files to test. 因此,让我们首先创建几个文件进行测试。 We're going to go into this with the mindset of securing this as much as possible. 我们将以尽可能确保这一点的思路来进行研究。 So I'll create two test files, one we want to give permission to execute and one we don't. 因此,我将创建两个测试文件,一个是我们要授予执行许可的文件,另一个是我们不需要的文件。
cd /var/www/html
echo -e "#\x21/bin/bash\necho \"Running command: \$0\"\n" | tee test.sh test2.sh
chown postgres:postgres test*.sh
chmod 700 test*.sh
Now we want to give the www-data user access to sudo . 现在,我们要授予www-data用户访问sudo权限。 However, we only want it to be able to execute the command /var/www/html/test.sh and not /var/www/html/test2.sh . 但是,我们只希望它能够执行命令/var/www/html/test.sh而不是/var/www/html/test2.sh 。 So let's create the following file: 因此,让我们创建以下文件:
www-data ALL=(ALL) NOPASSWD:/var/www/html/test.sh
echo 'www-data ALL=(ALL) NOPASSWD:/var/www/html/test.sh' > /etc/sudoers.d/www-data
I updated your sample PHP script a bit to give some more output: 我对示例PHP脚本进行了一些更新,以提供更多输出:
<?php
$cmd1 = "sudo -u postgres /var/www/html/test.sh";
$cmd2 = "sudo -u postgres /var/www/html/test2.sh";
$cmd3 = "whoami";
echo "Executing command 1: $cmd1\n";
exec(escapeshellcmd($cmd1), $output, $status);
foreach($output as $line) echo "$line\n";
unset($output);
echo "\nExecuting command 2: $cmd2\n";
exec(escapeshellcmd($cmd2), $output, $status);
foreach($output as $line) echo "$line\n";
unset($output);
echo "\nExecuting command 3: $cmd3\n";
exec(escapeshellcmd($cmd3), $output, $status);
foreach($output as $line) echo "$line\n";
?>
Now, I get the following: 现在,我得到以下信息:
$ curl localhost
Executing command 1: sudo -u postgres /var/www/html/test.sh
Running command: /var/www/html/test.sh
Executing command 2: sudo -u postgres /var/www/html/test2.sh
Executing command 3: whoami
www-data
Command 2 generates no output because the www-data user doesn't have permissions to execute it. 命令2不生成任何输出,因为www数据用户没有执行该输出的权限。 You should see the following in the log entry: 您应该在日志条目中看到以下内容:
Nov 02 15:27:17 ubuntu sudo[23541]: pam_unix(sudo:auth): conversation failed
Nov 02 15:27:17 ubuntu sudo[23541]: pam_unix(sudo:auth): auth could not identify password for [www-data]
Nov 02 15:27:17 ubuntu sudo[23541]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/html ; USER=postgres ; COMMAND=/var/www/html/test2.sh
Original Answer: 原始答案:
I used sudo su -c and I was able to get the expected output. 我使用sudo su -c能够获得预期的输出。 See the following: 请参阅以下内容:
$cmd1 = "sudo su -c 'whoami' postgres";
$cmd2 = "whoami";
echo exec(escapeshellcmd($cmd1), $output, $status);
foreach($output as $line) echo "$line\n";
echo exec(escapeshellcmd($cmd2), $output, $status);
foreach($output as $line) echo "$line\n";
Outputs 输出
$ ./test.php
postgrespostgres
myuserpostgres
myuser
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.