Results 1 to 16 of 16

Thread: SUDO help

  1. #1
    Join Date
    Nov 2002
    Location
    United Kingdom
    Posts
    247

    Question SUDO help

    I have created a set of scripts that create folders in my users home directories automatically.

    They work fine from SSH, and work if I run the script on the domain for the account i want to add folders to.

    If i try and run it from a domain different to that of the user, it wont create the folders. I have the scripts belonging to root, but it says that it was created by nobody.

    Can SUDO solve this or is there aniother way?

  2. #2
    Join Date
    Apr 2001
    Location
    Palm Beach, FL
    Posts
    1,095
    What are the scripts written in?

    With the information you've provided so far, the best tool to use would be suexec (an Apache tool). Program your scripts with any CGI language (perl, php, python, etc) and then execute it from the web browser on a suexec-enabled server. The script will run as the user who owns the domain and permissions will be established that way.

    Make sure you set the file permissions for the file to be executed to 755 or less -- suexec doesn't like anything over 755 (like 777).
    Alex Llera
    Professional Server Management
    FreeBSD|Linux|HSphere|Cpanel|Plesk

  3. #3
    Join Date
    Nov 2002
    Location
    United Kingdom
    Posts
    247
    They are written in perl.

    Im not sure if i explained that very well, they are admin scripts, that are only going to be run from one domain.

  4. #4
    Join Date
    Apr 2001
    Location
    Palm Beach, FL
    Posts
    1,095
    You'll have to explain what you're trying to do a little better. Are you running these scripts from a browser? If so, why not just use SSH?

    If you want root capabilities with a browser, you'll need to run the web server as root (highly discouraged).

    Sudo is used for 'fake root' permissions on a server (via SSH or possibly scripting). It may or may not be useful for what you're trying to do. Install sudo and read the man pages (or read them online if they're there) and see if it in fact helps you do what you want to do.


    Maybe if you let us know what you're trying to do (in better detail) we might be able to help.
    Alex Llera
    Professional Server Management
    FreeBSD|Linux|HSphere|Cpanel|Plesk

  5. #5
    Join Date
    Nov 2002
    Location
    United Kingdom
    Posts
    247
    ok here goes.

    On our main domain (mnahost.com) I am writing a control panel which we can use for billing, accounts etc.

    The server is running WHM and cpanel.

    The scripts i have written at the moment put a folder in /home/user/public_html when /scripts/icart is run, deletes the folder if /scripts/delete is run and chmod 400 if /scripts/icartsuspend is run.

    They are all run from the browser.

    Because the scripts are run from mnahost.com it works fine creating a folder for /home/mnahost/public_html, but if i select another user, it wont create the folder.

    I looked at the permissions on the folder in /home/mnahost/public_html and it says it is owned by nobody.

    I need to be able to make the folders in anyones account.

  6. #6
    Join Date
    Apr 2001
    Location
    Palm Beach, FL
    Posts
    1,095
    In order to do that as root, you need to run the scripts as root. You need root because you need the ability to write to other directories as a user other than nobody while using one Virtual Host (otherwise I'd tell you again to use suexec).

    I suppose you could give nobody (the user the web browser executes scripts as) some sudo powers, but be careful not to give it too much power.

    Have you looked at 'man sudo' and 'man sudoers' ? The first one tells you how to use sudo (eg, sudo -u <username> <command>) and the second tells you how to configure your sudoers file so you give 'nobody' just enough powers to do what you want. You can allow nobody to run certain commands as root (or any other user), just be careful which commands you allow it to run!

    If you need more help after reading the man files, let us know.
    Alex Llera
    Professional Server Management
    FreeBSD|Linux|HSphere|Cpanel|Plesk

  7. #7
    Join Date
    Nov 2002
    Location
    United Kingdom
    Posts
    247
    ok thanks.

    ill take a look at that!

  8. #8
    Join Date
    Oct 2002
    Location
    Canada
    Posts
    3,100
    Just thinking out loud.

    If you would have suexec then you would be able to run those scripts as the user through whos domain the script is accessed. You obviously do not want that as instead of clicking one button you would need to click many. Solution might be creating the script that would do this for you. You could use the wget and loop through domin list and access you script as http://$domain.com/adminscript
    that should make folders with username that ownes the domain.

  9. #9
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    If they're already written in Perl, make them set uid root. Perl will force you to untaint your input, and you'll have the beginnings of one of the more secure ways to make set uid scripts.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  10. #10
    Join Date
    Nov 2002
    Location
    United Kingdom
    Posts
    247
    OK

    Ive been trying to get this to work all day, with no luck.

    I have put this in /etc/sudoers:

    User_Alias SCRIPTS=nobody

    SCRIPTS ALL=ALL


    I have
    chown root /scripts/icart
    and

  11. #11
    Join Date
    Nov 2002
    Location
    United Kingdom
    Posts
    247
    OK

    Ive been trying to get this to work all day, with no luck.

    I have put this in /etc/sudoers:

    User_Alias SCRIPTS=nobody

    SCRIPTS ALL=ALL


    I have
    chown root /scripts/icart
    and
    chmod 4750 /scripts/icart

    it still doesnt work!

  12. #12
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    You said that your scripts are being "run from the browser". How are you passing the scripts through sudo?

    You might want to post your scripts and a more detailed explanation of what you're trying.

    It sounds like you're going about it the wrong way.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  13. #13
    Join Date
    Nov 2002
    Location
    United Kingdom
    Posts
    247
    They are called using a form on our site.

    the code for calling the script when the form is submitted is:

    <?PHP
    system("sudo /scripts/icart $user");
    ?>

    ($user is the username for the account to modify)

    The actual code for the script is:

    #!/usr/bin/perl

    $user = $ARGV[0];

    if (! -e "/home/$user/public_html/i-cart/") {

    mkdir("/home/$user/public_html/i-cart",0755);
    system("cp -R /home/icartbk/store/* /home/$user/public_html/i-cart/");
    open(SETTINGS,">/home/$user/public_html/i-cart/settings/mysql.inc") || die "Can't open settings file";
    print SETTINGS<<EOM;
    <?
    # Auto Created By Icart Script /scripts/icart

    \$home_dir = "/home/$user";

    \$username = "$user_icart";

    \$password = "******";

    \$dbname = "$user_icartonline";

    ?>
    EOM
    close (SETTINGS);

    print "Created folder <b>/home/$user/public_html/i-cart</b><br>";
    print "Copying <b>/home/icartbk/store</b>..........<br>";
    print "Complete<br>";
    print "Chown all to root<br><br>";

    print "Setup Complete<br>";

    }else{

    print "i-cart already installed for user <b>$user</b><br>";

    }

  14. #14
    Join Date
    Nov 2002
    Location
    United Kingdom
    Posts
    247
    no ideas then?

  15. #15
    Join Date
    Nov 2000
    Location
    Moran, Ks
    Posts
    186
    I agree with bitserve... you are going about it the wrong way, using php, sudo and perl. A perl script, suid root, would be the better choice.

    That being said, if you ever get the code you posted working, you will have just opened up a root hole on your server, definitely exploitable locally, and probably remotely. You should never have any script (much less a script running as root) using user supplied input being passed directly to system calls without some sanity checking. One of the advantages of using a suid perl script is that perl will do a decent job of requiring you to at least untaint the user supplied input, although once you get it untainted, perl assumes you knew what you were doing when you did it. You should probably have someone script it for you if you are unaware of the security implications of running scripts like what you posted as root, or as any user for that matter.

  16. #16
    Join Date
    Feb 2002
    Location
    Philadelphia, PA
    Posts
    96

    Sudoers file

    1. Create a commands aias (cmnd_alias) for the commands you will allow to be run as root.

    2. When defining the priveldges set NOPASSWD otherwise the user will have to type in a password in order to execute.

    3. Make sure only root can do anything with the script (700).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •