2

Basically I am trying to restart a service from a php web page.

Here is the code:

<?php
exec ('/usr/bin/sudo /etc/init.d/portmap restart');
?>

But, in /var/log/httpd/error_log, I get

unable to change to sudoers gid: Operation not permitted

and in /var/log/messages, I get

Sep 22 15:01:56 ri kernel: audit(1222063316.536:777): avc: denied { getattr } for pid=4851 comm="sh" name="var" dev=dm-0 ino=114241 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_t tclass=dir
Sep 22 15:01:56 ri kernel: audit(1222063316.549:778): avc: denied { setrlimit } for pid=4851 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=process
Sep 22 15:01:56 ri kernel: audit(1222063316.565:779): avc: denied { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
Sep 22 15:01:56 ri kernel: audit(1222063316.568:780): avc: denied { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
Sep 22 15:01:56 ri kernel: audit(1222063316.571:781): avc: denied { setgid } for pid=4851 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 22 15:01:56 ri kernel: audit(1222063316.574:782): avc: denied { setuid } for pid=4851 comm="sudo" capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 22 15:01:56 ri kernel: audit(1222063316.577:783): avc: denied { setgid } for pid=4851 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability

In my visudo, I added those lines

User_Alias WWW=apache

WWW ALL=(ALL) NOPASSWD:ALL

Can you please help me ? Am I doing something wrong ?

Thanks for your help,

tiBoun

4 Answers4

11

The problem is not with sudo at the moment, but with SELinux, which is (reasonably) set to deny the HTTPD from gaining root privileges.
You will need to either explicitly allow this (you can use audit2allow for this), or set SELinux to be permissive instead. I'd suggest the former.

Hasturkun
  • 35,395
  • 6
  • 71
  • 104
  • 1
    Thank you so much, it's working now ! Just had to disable SELinux in /etc/selinux/config and change to SELINUX=disabled. Cheers, tiBoun –  Sep 22 '08 at 08:40
5

The error you are getting seems to be related to your SELinux configuration. You might try temporarily disabling that.

As an aside, I would strongly suggest that you adjust your sudo configuration to be more restrictive. 

User_Alias WWW=apache
Cmnd_Alias WEBCMDS=/etc/init.d/portmap
WWW ALL=NOPASSWD: WEBCMDS
Zoredache
  • 37,543
  • 7
  • 45
  • 61
  • Thanks for the advise, I am currently just testing, of course for security reason, I will slim down the available commands. Cheers ;D tiBoun –  Sep 22 '08 at 08:39
1

I encountered the problem recently and the accepted answer above helped. However, I would like to post this answer to elaborate the same, so that the next person does not need to spend time much, like me!

Follow section 7 of the following link: https://wiki.centos.org/HowTos/SELinux.

Do grep with httpd_sys_script_t.

Basically the steps are:

# grep httpd_sys_script_t /var/log/audit/audit.log | audit2allow -M httpdallowsudo
# semodule -i httpdallowsudo.pp
Soumya Kanti
  • 1,429
  • 1
  • 17
  • 28
-3

This is probably down to something like trying to execute sudo in a non-interactive shell.

If you do a grep for 'sudo' in your apache users mail log you might find things like this

sudo: sorry, you must have a tty to run sudo

flungabunga
  • 390
  • 2
  • 9