I have created a set of scripts that create folders in my users home directories automatically.

They work fine from SSH, and work if I run the script on the domain for the account i want to add folders to.

If i try and run it from a domain different to that of the user, it wont create the folders. I have the scripts belonging to root, but it says that it was created by nobody.

Can SUDO solve this or is there aniother way?

What are the scripts written in?

With the information you've provided so far, the best tool to use would be suexec (an Apache tool). Program your scripts with any CGI language (perl, php, python, etc) and then execute it from the web browser on a suexec-enabled server. The script will run as the user who owns the domain and permissions will be established that way.

Make sure you set the file permissions for the file to be executed to 755 or less -- suexec doesn't like anything over 755 (like 777).

They are written in perl.

Im not sure if i explained that very well, they are admin scripts, that are only going to be run from one domain.

You'll have to explain what you're trying to do a little better. Are you running these scripts from a browser? If so, why not just use SSH?

If you want root capabilities with a browser, you'll need to run the web server as root (highly discouraged).

Sudo is used for 'fake root' permissions on a server (via SSH or possibly scripting). It may or may not be useful for what you're trying to do. Install sudo and read the man pages (or read them online if they're there) and see if it in fact helps you do what you want to do.


Maybe if you let us know what you're trying to do (in better detail) we might be able to help. :)

ok here goes.

On our main domain (mnahost.com) I am writing a control panel which we can use for billing, accounts etc.

The server is running WHM and cpanel.

The scripts i have written at the moment put a folder in /home/user/public_html when /scripts/icart is run, deletes the folder if /scripts/delete is run and chmod 400 if /scripts/icartsuspend is run.

They are all run from the browser.

Because the scripts are run from mnahost.com it works fine creating a folder for /home/mnahost/public_html, but if i select another user, it wont create the folder.

I looked at the permissions on the folder in /home/mnahost/public_html and it says it is owned by nobody.

I need to be able to make the folders in anyones account.

In order to do that as root, you need to run the scripts as root. You need root because you need the ability to write to other directories as a user other than nobody while using one Virtual Host (otherwise I'd tell you again to use suexec).

I suppose you could give nobody (the user the web browser executes scripts as) some sudo powers, but be careful not to give it too much power.

Have you looked at 'man sudo' and 'man sudoers' ? The first one tells you how to use sudo (eg, sudo -u <username> <command>) and the second tells you how to configure your sudoers file so you give 'nobody' just enough powers to do what you want. You can allow nobody to run certain commands as root (or any other user), just be careful which commands you allow it to run! :)

If you need more help after reading the man files, let us know.

ok thanks.

ill take a look at that! :)

Just thinking out loud.

If you would have suexec then you would be able to run those scripts as the user through whos domain the script is accessed. You obviously do not want that as instead of clicking one button you would need to click many. Solution might be creating the script that would do this for you. You could use the wget and loop through domin list and access you script as http://$domain.com/adminscript
that should make folders with username that ownes the domain.

If they're already written in Perl, make them set uid root. Perl will force you to untaint your input, and you'll have the beginnings of one of the more secure ways to make set uid scripts.

OK

Ive been trying to get this to work all day, with no luck.

I have put this in /etc/sudoers:

User_Alias SCRIPTS=nobody

SCRIPTS ALL=ALL


I have
chown root /scripts/icart
and

OK

Ive been trying to get this to work all day, with no luck.

I have put this in /etc/sudoers:

User_Alias SCRIPTS=nobody

SCRIPTS ALL=ALL


I have
chown root /scripts/icart
and
chmod 4750 /scripts/icart

it still doesnt work!

You said that your scripts are being "run from the browser". How are you passing the scripts through sudo?

You might want to post your scripts and a more detailed explanation of what you're trying.

It sounds like you're going about it the wrong way.

They are called using a form on our site.

the code for calling the script when the form is submitted is:

<?PHP
system("sudo /scripts/icart $user");
?>

($user is the username for the account to modify)

The actual code for the script is:

#!/usr/bin/perl

$user = $ARGV[0];

if (! -e "/home/$user/public_html/i-cart/") {

mkdir("/home/$user/public_html/i-cart",0755);
system("cp -R /home/icartbk/store/* /home/$user/public_html/i-cart/");
open(SETTINGS,">/home/$user/public_html/i-cart/settings/mysql.inc") || die "Can't open settings file";
print SETTINGS<<EOM;
<?
# Auto Created By Icart Script /scripts/icart

\$home_dir = "/home/$user";

\$username = "$user_icart";

\$password = "******";

\$dbname = "$user_icartonline";

?>
EOM
close (SETTINGS);

print "Created folder <b>/home/$user/public_html/i-cart</b><br>";
print "Copying <b>/home/icartbk/store</b>..........<br>";
print "Complete<br>";
print "Chown all to root<br><br>";

print "Setup Complete<br>";

}else{

print "i-cart already installed for user <b>$user</b><br>";

}

no ideas then?

I agree with bitserve... you are going about it the wrong way, using php, sudo and perl. A perl script, suid root, would be the better choice.

That being said, if you ever get the code you posted working, you will have just opened up a root hole on your server, definitely exploitable locally, and probably remotely. You should never have any script (much less a script running as root) using user supplied input being passed directly to system calls without some sanity checking. One of the advantages of using a suid perl script is that perl will do a decent job of requiring you to at least untaint the user supplied input, although once you get it untainted, perl assumes you knew what you were doing when you did it. You should probably have someone script it for you if you are unaware of the security implications of running scripts like what you posted as root, or as any user for that matter.

1. Create a commands aias (cmnd_alias) for the commands you will allow to be run as root.

2. When defining the priveldges set NOPASSWD otherwise the user will have to type in a password in order to execute.

3. Make sure only root can do anything with the script (700).