sudo from Apache

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi All!

This would be more of a Unix question rather than Perl, but im sure the Monks will be able to help :o)

I have a webpage that needs to mount and unmount a drive. The drive is being mounted as username "www-data". I can only unmount with sudo: "sudo umount *drive*". I do have sudo umount privileges on a username other than "www-data". I do not know the password for "www-data", nor am i sure that it would actually have the privileges to unmount as itself.

Being on a web page, is there a way for me to say: i want to unmount this drive as if i was trying to sudo as "other_username" and not "www-data"? "sudo -u other_username umount *drive*" doesnt work, because it tries to unmount as other_username - it needs to unmount as "root" but providing "other_username"'s credentials.

As a side note, if i get into the box as "other_username" i am able to "sudo umount" the drives that were mounted as "www-data" with no issues.

Please let me know if you see any kind of workarounds for me to be able to unmount from a webpage, or if it's mandatory to find out the password for "www-data".

Comment on sudo from Apache

Replies are listed 'Best First'.
Re: sudo from Apache by choroba (Cardinal) on Sep 02, 2011 at 08:44 UTC
It might be impossible to find a password for www-data, because it is often a "pseudo-user" with no password that runs a web server. Only a privileged user can sudo to this user. Setting a password for such a user is a security risk.	[reply]
Re^2: sudo from Apache by afoken (Chancellor) on Sep 03, 2011 at 07:34 UTC
You don't need a password for www-data. sudo can be configured to allow one or more users to run one or more commands without any password. See the sudo documentation, especially `man 5 sudoers`. A line from my /etc/sudoers file, allowing every user to run the two scripts /service/fetchmail/wake and /service/fetchmail/status: `%users ALL = NOPASSWD: /service/fetchmail/wake,/service/fetchmail/sta +tus` [download] Replace `%users` with `www-data` and only the user www-data is able to run the scripts. Replace the script names with some other script names and obviously, the other scripts can be executed without entering a password. Combine both and www-data can run a mount script and a umount script that call the `mount` and `umount` commands with fixed parameters. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l] [select]
Re: sudo from Apache by pvaldes (Chaplain) on Sep 01, 2011 at 21:27 UTC
`"nor am i sure that it would actually have the privileges to unmount as itself."` if www-data can mount a drive, can umount this drive also (unless someone have mounted other partition over this) `"I want to unmount this drive as if i was trying to sudo as "other_username" and not "www-data"?"` Nonsense. This should never happen. What do you have in /etc/fstat? `it's mandatory to find out the password for "www-data"` Not, if you are root you can simply change it	[reply] [d/l] [select]
Re: sudo from Apache by pvaldes (Chaplain) on Sep 01, 2011 at 22:01 UTC
If you are the boss (root) change the password (and maybe upgrade the scripts calling or sending the encrypted old password if necessary). That's the short story The long story is that I just realize that under some circumstances you could do what you want, tunning carefully sudoers (with visudo). I merely think that's possible, but I'm never tested it and it depends on your case (ie: what is in your fstab) and also depends on if to add "your_other_user" to the group www-data could be a wise step or not in your scenery. Think about this carefully cause this could be a security hole You probably don't want or need to mess with this, but it's another way. read man sudoers	[reply]
Re: sudo from Apache by Mushka (Acolyte) on Sep 16, 2011 at 15:37 UTC
Everybody, thank you very-very much!! Very helpful comments!! I do not have root access and cant even cat /etc/sudoers. After reading afoken's comment, I tried running "sudo umount" without providing a password and got "sudo password for www-data: sudo: pam_authenticate: Conversation error", which tells me that /etc/sudoers is currently not set up to allow umount from www-data with no password. I will give the instructions to appropriate people to add www-data to /etc/sudoers with no pass. If all else fails, i will go with pemungkah's suggestion to use a semaphore and umount via another script. Again, thank you so much for all your answers!	[reply]
Re: sudo from Apache by Mushka (Acolyte) on Sep 19, 2011 at 13:46 UTC
Thank you all again! Here's the line that we added to /etc/sudoers, and it worked like a charm: `www-data ALL = NOPASSWD: /bin/umount,/sbin/umount.cifs,/usr/bin/smbumount`	[reply] [d/l]
Re: sudo from Apache by pemungkah (Priest) on Sep 02, 2011 at 20:20 UTC
Are you able to edit sudoers? Can you add an entry to allow www-data to do the umount/mount? If not, have a daemon running as the user that can umount/mount and have the webserver process either connect to it via Unix sockets, or use a semaphore file in `/tmp` to indicate when a mount/umount is required.	[reply]


XP is just a number
	PerlMonks