我正在使用的一个PHP程序( LConf )使用sudo调用脚本。
我已经允许用户apache运行脚本,并用sudo -u apache /usr/local/LConf/lconf_deploy.sh进行了testing。
当lconf_deploy.sh调用/usr/bin/sudo -u icinga /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v ,系统会提示input密码,但在调用行之前没有问题在这行之后。
看了很多(在requiretty和互联网上的其他地方)关于在这种情况下做什么,我已经禁用了requiretty和使用NOPASSWD我所能想到的一切影响这种情况。
# cat /etc/sudoers | grep -v "#" Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL apache ALL = NOPASSWD: /usr/local/LConf/lconf_deploy.sh apache ALL = NOPASSWD: /usr/bin/sudo -u icinga /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v apache ALL = NOPASSWD: /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v icinga ALL = NOPASSWD: /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v
是否有可能使用sudo切换用户上下文(或什么),而已经“ sudoing ”?
如果不是,我该如何解决这个问题? 请注意, /usr/local/LConf/LConfExport.pl icinga /usr/local/LConf/LConfExport.pl icinga必须作为用户icinga运行。
谢谢,
马特
[参考下面的mdpc的评论更新]
User_Alias LCONF=apache,icinga Defaults:LCONF !requiretty LCONF ALL=(icinga) NOPASSWD: /usr/local/LConf/LconfExport.pl -o /etc/icinga/lconf -v LCONF ALL= NOPASSWD: /usr/local/LConf/lconf_deploy.sh
执行sudo -u apache /usr/local/LConf/lconf_deploy.sh. 仍然提示input密码
# cat /usr/local/LConf/lconf_deploy.sh echo start of script /usr/bin/sudo -u icinga /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v /etc/init.d/icinga reload # sudo -u apache /usr/local/LConf/lconf_deploy.sh start of script [sudo] password for apache: Running configuration check.../etc/init.d/icinga: line 111: /var/icinga/icinga.chk: Permission denied CONFIG ERROR! Reload aborted. See /var/icinga/icinga.chk for details.
任何援助表示赞赏。
这一行:
apache ALL = NOPASSWD: /usr/bin/sudo -u icinga /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v
不pipe用。 它会调用sudo as apache,那是不对的。
你可能想要的是:
apache ALL=(icinga) NOPASSWD: /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v
types
su - apache
然后
/usr/local/LConf/lconf_deploy.sh
如果第一个命令不起作用,请键入:
su - apache -s /bin/bash
== mbrownnyc [266b4002@gateway] has joined ##linux -ChanServ- [##linux] Welcome to ##Linux! Can't speak? Please see http://linuxassist.net/irc on how to register or identify your nick. By joining this channel you agree to abide by the channel rules and guidelines stated on the official ##Linux website http://www.linuxassist.net/rules . <loomsen> there are different ways to solve this, but all of them are ugly and discouraged <loomsen> mbrownnyc, you could add apache to the icinga group, make that script ug+x and set a sticky bit <nb-ben> mbrownnyc, you should take a look at suEXEC for php <koala_man> mbrownnyc: works fine: http://pastebin.com/JhefHzCh <koala_man> mbrownnyc: I still think you're just confusing your users <koala_man> mbrownnyc: you add permissions for apache to run lconf_deploy as root, and then test using your icinga user <koala_man> to run it as apache
解:
# cat /etc/passwd | grep icinga icinga:x:499:500:icinga:/var/icinga:/bin/false # cat /etc/passwd | grep apache apache:x:48:48:Apache:/var/www:/bin/false # grep -v "#" /etc/sudoers Defaults !requiretty Defaults !visiblepw Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin root ALL=(ALL) ALL User_Alias LCONF=apache,icinga Defaults:LCONF !requiretty LCONF ALL=(apache) NOPASSWD: /usr/local/LConf/lconf_deploy.sh LCONF ALL=(icinga) NOPASSWD: /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v # cat /usr/local/LConf/lconf_deploy.sh #!/bin/bash echo start of script sudo -u icinga /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v /etc/init.d/icinga reload