Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

sudo from Apache

by Anonymous Monk
on Sep 01, 2011 at 20:40 UTC ( #923720=perlquestion: print w/ replies, xml ) Need Help??
Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi All!

This would be more of a Unix question rather than Perl, but im sure the Monks will be able to help :o)

I have a webpage that needs to mount and unmount a drive. The drive is being mounted as username "www-data". I can only unmount with sudo: "sudo umount *drive*". I do have sudo umount privileges on a username other than "www-data". I do not know the password for "www-data", nor am i sure that it would actually have the privileges to unmount as itself.

Being on a web page, is there a way for me to say: i want to unmount this drive as if i was trying to sudo as "other_username" and not "www-data"? "sudo -u other_username umount *drive*" doesnt work, because it tries to unmount as other_username - it needs to unmount as "root" but providing "other_username"'s credentials.

As a side note, if i get into the box as "other_username" i am able to "sudo umount" the drives that were mounted as "www-data" with no issues.

Please let me know if you see any kind of workarounds for me to be able to unmount from a webpage, or if it's mandatory to find out the password for "www-data".

Comment on sudo from Apache
Re: sudo from Apache
by pvaldes (Chaplain) on Sep 01, 2011 at 21:27 UTC
     "nor am i sure that it would actually have the privileges to unmount as itself."

    if www-data can mount a drive, can umount this drive also (unless someone have mounted other partition over this)

    "I want to unmount this drive as if i was trying to sudo as "other_username" and not "www-data"?"

    Nonsense. This should never happen. What do you have in /etc/fstat?

    it's mandatory to find out the password for "www-data"

    Not, if you are root you can simply change it

Re: sudo from Apache
by pvaldes (Chaplain) on Sep 01, 2011 at 22:01 UTC

    If you are the boss (root) change the password (and maybe upgrade the scripts calling or sending the encrypted old password if necessary). That's the short story

    The long story is that I just realize that under some circumstances you could do what you want, tunning carefully sudoers (with visudo).

    I merely think that's possible, but I'm never tested it and it depends on your case (ie: what is in your fstab) and also depends on if to add "your_other_user" to the group www-data could be a wise step or not in your scenery. Think about this carefully cause this could be a security hole

    You probably don't want or need to mess with this, but it's another way. read man sudoers

Re: sudo from Apache
by choroba (Abbot) on Sep 02, 2011 at 08:44 UTC
    It might be impossible to find a password for www-data, because it is often a "pseudo-user" with no password that runs a web server. Only a privileged user can sudo to this user. Setting a password for such a user is a security risk.

      You don't need a password for www-data. sudo can be configured to allow one or more users to run one or more commands without any password. See the sudo documentation, especially man 5 sudoers.

      A line from my /etc/sudoers file, allowing every user to run the two scripts /service/fetchmail/wake and /service/fetchmail/status:

      %users ALL = NOPASSWD: /service/fetchmail/wake,/service/fetchmail/sta +tus

      Replace %users with www-data and only the user www-data is able to run the scripts.

      Replace the script names with some other script names and obviously, the other scripts can be executed without entering a password.

      Combine both and www-data can run a mount script and a umount script that call the mount and umount commands with fixed parameters.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
Re: sudo from Apache
by pemungkah (Priest) on Sep 02, 2011 at 20:20 UTC
    Are you able to edit sudoers? Can you add an entry to allow www-data to do the umount/mount?

    If not, have a daemon running as the user that can umount/mount and have the webserver process either connect to it via Unix sockets, or use a semaphore file in /tmp to indicate when a mount/umount is required.

Re: sudo from Apache
by Mushka (Acolyte) on Sep 16, 2011 at 15:37 UTC
    Everybody, thank you very-very much!! Very helpful comments!!

    I do not have root access and cant even cat /etc/sudoers.

    After reading afoken's comment, I tried running "sudo umount" without providing a password and got "sudo password for www-data: sudo: pam_authenticate: Conversation error", which tells me that /etc/sudoers is currently not set up to allow umount from www-data with no password.

    I will give the instructions to appropriate people to add www-data to /etc/sudoers with no pass.

    If all else fails, i will go with pemungkah's suggestion to use a semaphore and umount via another script.

    Again, thank you so much for all your answers!
Re: sudo from Apache
by Mushka (Acolyte) on Sep 19, 2011 at 13:46 UTC
    Thank you all again! Here's the line that we added to /etc/sudoers, and it worked like a charm:

    www-data ALL = NOPASSWD: /bin/umount,/sbin/umount.cifs,/usr/bin/smbumount

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://923720]
Approved by planetscape
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (7)
As of 2014-12-29 00:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (183 votes), past polls