NYCPHP Meetup

NYPHP.org

[nycphp-talk] SSH2_CONNECT

CED consult at covenantedesign.com
Fri Jul 31 20:39:12 EDT 2009


I'll take the bait...

No, you most certainly shouldn't do this at all. Adjusting the defaults 
to sudoers is a big no no.

Whatever it is you are doing, the need to become root is far different 
than Ken's example of becoming Ken.

The reason that you can't make this work properly has everything to do 
with 'REAL' tty sessions, which you aren't going to have.

Root cannot be allowed to be running around without a properly bound 
TTY; for various Auditing reasons.

However, in the spirit of this list:

Defaults:root !requiretty
Defaults:nobody !requiretty

Play VERY carefully.

-Ed


Kenneth Dombrowski wrote:
> On 09-07-30 17:05 -0400, Ajai Khattri wrote:
>   
>> Most probably your PHP script will be running under the same username as 
>> Apache (i.e. www or nobody) so sudo wouldn't work anyway. (And you 
>> wouldn't want to give www or nobody sudo privilege anyway!).
>>     
>
> All this talk about sudo not working made me curious -- why shouldn't it
> work?  It will, and a well configured sudo offers a very fine level of
> control -- though whether one wants to do it is another question
>
> # visudo
> Defaults:www-data       !lecture
> Defaults:www-data       !authenticate
> www-data ALL = (kenneth) /usr/bin/touch /tmp/sudoer.apache 
>
> The first two lines get rid of sudo's usual prompts, since it will never
> run interactively, & the last specifies a single command + argument
> www-data is allowed to run as kenneth (you can use shell-style globs) 
>
> # sudo.php
> <?php
> header('Content-type: text/plain');
> $f = '/tmp/sudoer.apache';
> system("sudo -u kenneth /usr/bin/touch $f");
> print "\n$f exists? " . (bool) file_exists($f);
>
> kenneth at gilgamesh:~$ elinks --dump http://localhost/tmp/sudo.php
>    /tmp/sudoer.apache exists? 1
> kenneth at gilgamesh:~$ ls -l /tmp/sudoer.apache 
> -rw-r--r-- 1 kenneth kenneth 0 2009-07-30 19:52 /tmp/sudoer.apache
>
> So on debian, www-data successfully created a file as kenneth.  On FreeBSD
> I think www/nobody/whatever has a /bin/false shell, so there it won't
> work.  Of course, you shouldn't do it on shared hosts, and I'm sure
> somebody will tell me you shouldn't do it at all, but its not due to a
> technical limitation
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>
>
>
>   


-- 
<img src="http://covenantedesign.com/logo.jpg" border ="0">
995 Maple Hill Road
Castleton, New York 12033
518-331-5061
Consult at CovenanteDesign.com





More information about the talk mailing list