NYCPHP Meetup

NYPHP.org

[nycphp-talk] SSH2_CONNECT

Michele Waldman mmwaldman at nyc.rr.com
Fri Jul 31 20:26:32 EDT 2009


Thank you.

sudo: sorry, you must have a tty to run sudo

I don't know how to resolve this.

Michele

> -----Original Message-----
> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
> On Behalf Of Leam Hall
> Sent: Friday, July 31, 2009 8:22 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] SSH2_CONNECT
> 
> Drat! That's my favorite reading.  :)
> 
> Couple more ideas, based on an OS perspective. If it's a PHPism, I'm not
> so good...
> 
> If the copy_sites program is a script and not a binary, edit it early on
> to create a temporary file. For example, put in a like "echo guido >
> /tmp/woo-hoo". See if it writes it. If so, then it's choking on the
> script. If not, then it's not getting to the script.
> 
> Also, have it echo $id to a temp file to make sure the variable
> substitution is happening correctly.
> 
> Hope that helps.
> 
> Leam
> 
> Michele Waldman wrote:
> > I didn't see anything in /var/log/messages.
> >
> > Michele
> >
> >> -----Original Message-----
> >> From: talk-bounces at lists.nyphp.org [mailto:talk-
> bounces at lists.nyphp.org]
> >> On Behalf Of Leam Hall
> >> Sent: Friday, July 31, 2009 7:58 PM
> >> To: NYPHP Talk
> >> Subject: Re: [nycphp-talk] SSH2_CONNECT
> >>
> >> Hey Michele.
> >>
> >> Can you edit /etc/sudoers? You might be able to give it the NOPASSWD
> >> option, to at least shorten it a bit.
> >>
> >> Can you read /var/log/messages and the web server log to see if they
> say
> >> anything?
> >>
> >> Leam
> >>
> >> Michele Waldman wrote:
> >>> So I rewrote the code in bash due to my client's concern about
> >> bandwidth.
> >>> Here's my new problem:
> >>> $msg = exec("echo $password | sudo /home/user/site_util/copy_sites $id
> >> 2>
> >>> /dev/null");
> >>>
> >>> The script isn't running.
> >>>
> >>> Since it's running from http, I modified the user nobody to have
> >> /bin/bash
> >>> in /etc/passwd and gave the user a password.
> >>>
> >>> I can login to the server as nobody and run this code on the command
> >> line.
> >>> Works fine.
> >>>
> >>> Does anyone know why this execute isn't working in php?
> >>>
> >>> Michele
> >>>
> >>>> -----Original Message-----
> >>>> From: talk-bounces at lists.nyphp.org [mailto:talk-
> >> bounces at lists.nyphp.org]
> >>>> On Behalf Of Kenneth Dombrowski
> >>>> Sent: Friday, July 31, 2009 7:33 AM
> >>>> To: NYPHP Talk
> >>>> Subject: Re: [nycphp-talk] SSH2_CONNECT
> >>>>
> >>>> On 09-07-30 17:05 -0400, Ajai Khattri wrote:
> >>>>> Most probably your PHP script will be running under the same
> username
> >> as
> >>>>> Apache (i.e. www or nobody) so sudo wouldn't work anyway. (And you
> >>>>> wouldn't want to give www or nobody sudo privilege anyway!).
> >>>> All this talk about sudo not working made me curious -- why shouldn't
> >> it
> >>>> work?  It will, and a well configured sudo offers a very fine level
> of
> >>>> control -- though whether one wants to do it is another question
> >>>>
> >>>> # visudo
> >>>> Defaults:www-data       !lecture
> >>>> Defaults:www-data       !authenticate
> >>>> www-data ALL = (kenneth) /usr/bin/touch /tmp/sudoer.apache
> >>>>
> >>>> The first two lines get rid of sudo's usual prompts, since it will
> >> never
> >>>> run interactively, & the last specifies a single command + argument
> >>>> www-data is allowed to run as kenneth (you can use shell-style globs)
> >>>>
> >>>> # sudo.php
> >>>> <?php
> >>>> header('Content-type: text/plain');
> >>>> $f = '/tmp/sudoer.apache';
> >>>> system("sudo -u kenneth /usr/bin/touch $f");
> >>>> print "\n$f exists? " . (bool) file_exists($f);
> >>>>
> >>>> kenneth at gilgamesh:~$ elinks --dump http://localhost/tmp/sudo.php
> >>>>    /tmp/sudoer.apache exists? 1
> >>>> kenneth at gilgamesh:~$ ls -l /tmp/sudoer.apache
> >>>> -rw-r--r-- 1 kenneth kenneth 0 2009-07-30 19:52 /tmp/sudoer.apache
> >>>>
> >>>> So on debian, www-data successfully created a file as kenneth.  On
> >> FreeBSD
> >>>> I think www/nobody/whatever has a /bin/false shell, so there it won't
> >>>> work.  Of course, you shouldn't do it on shared hosts, and I'm sure
> >>>> somebody will tell me you shouldn't do it at all, but its not due to
> a
> >>>> technical limitation
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> New York PHP User Group Community Talk Mailing List
> >>>> http://lists.nyphp.org/mailman/listinfo/talk
> >>>>
> >>>> http://www.nyphp.org/show_participation.php
> >>> _______________________________________________
> >>> New York PHP User Group Community Talk Mailing List
> >>> http://lists.nyphp.org/mailman/listinfo/talk
> >>>
> >>> http://www.nyphp.org/show_participation.php
> >>>
> >> _______________________________________________
> >> New York PHP User Group Community Talk Mailing List
> >> http://lists.nyphp.org/mailman/listinfo/talk
> >>
> >> http://www.nyphp.org/show_participation.php
> >
> > _______________________________________________
> > New York PHP User Group Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
> >
> > http://www.nyphp.org/show_participation.php
> >
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> http://www.nyphp.org/show_participation.php




More information about the talk mailing list