[sudo-users] Calling sudo from PHP script under Apache httpd
Dima Goncharuck
dgoncharuk at neocm.com
Thu Feb 11 10:04:13 MST 2021
Hi Todd,
Thursday, February 11, 2021, 6:18:46 PM, Вы написали:
> On Thu, 11 Feb 2021 11:45:28 +0200, Dima Goncharuck wrote:
>> I have some problem with subj and I can't detect a source(s) of a problem(s).
>>
>> So, I need to run some command by php script via Apache HTTPD.
>> And it's not working at all. In httpd log file (/var/log/apache/error.log) I
>> can see this:
>>
>> sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
>> sudo: unable to initialize policy plugin
>>
>> With turned on sudo debug I can see this (/var/log/sudo_debug.log):
> The debug information you want may be in the sudoers debug log.
> Try the following in your /etc/sudo.conf file.
> Debug sudoers.so /var/log/sudoers_debug all at debug
^^^ Thanks. My mistake. That is why in my case this log even wasn't present.
Now it looks like this:
Feb 11 18:52:08 sudo[5079] -> sudoers_init @ ./sudoers.c:160
Feb 11 18:52:08 sudo[5079] -> sudoers_policy_deserialize_info @ ./policy.c:97
Feb 11 18:52:08 sudo[5079] settings: plugin_path=/usr/lib/sudo/sudoers.so
Feb 11 18:52:08 sudo[5079] settings: progname=sudo
Feb 11 18:52:08 sudo[5079] settings: network_addrs=192.168.255.4/255.255.255.240 192.168.88.166/255.255.255.0
Feb 11 18:52:08 sudo[5079] settings: plugin_dir=/usr/lib/sudo/
Feb 11 18:52:08 sudo[5079] settings: debug_flags=/var/log/sudo_plugin.log all at info,plugin at debug
Feb 11 18:52:08 sudo[5079] user_info: user=ubill
Feb 11 18:52:08 sudo[5079] user_info: pid=5079
Feb 11 18:52:08 sudo[5079] user_info: ppid=5078
Feb 11 18:52:08 sudo[5079] user_info: pgid=5048
Feb 11 18:52:08 sudo[5079] user_info: tcpgid=0
Feb 11 18:52:08 sudo[5079] user_info: sid=5048
Feb 11 18:52:08 sudo[5079] user_info: uid=10001
Feb 11 18:52:08 sudo[5079] user_info: euid=0
Feb 11 18:52:08 sudo[5079] user_info: gid=10001
Feb 11 18:52:08 sudo[5079] user_info: egid=10001
Feb 11 18:52:08 sudo[5079] user_info: groups=10001
Feb 11 18:52:08 sudo[5079] user_info: umask=00
Feb 11 18:52:08 sudo[5079] user_info: cwd=/var/www/ubill
Feb 11 18:52:08 sudo[5079] user_info: host=bl
Feb 11 18:52:08 sudo[5079] user_info: lines=24
Feb 11 18:52:08 sudo[5079] user_info: cols=80
Feb 11 18:52:08 sudo[5079] user_info: rlimit_as=infinity,infinity
Feb 11 18:52:08 sudo[5079] user_info: rlimit_core=0,infinity
Feb 11 18:52:08 sudo[5079] user_info: rlimit_cpu=infinity,infinity
Feb 11 18:52:08 sudo[5079] user_info: rlimit_data=infinity,infinity
Feb 11 18:52:08 sudo[5079] user_info: rlimit_fsize=infinity,infinity
Feb 11 18:52:08 sudo[5079] user_info: rlimit_locks=infinity,infinity
Feb 11 18:52:08 sudo[5079] user_info: rlimit_memlock=65536,65536
Feb 11 18:52:08 sudo[5079] user_info: rlimit_nofile=8192,8192
Feb 11 18:52:08 sudo[5079] user_info: rlimit_nproc=193154,193154
Feb 11 18:52:08 sudo[5079] user_info: rlimit_rss=infinity,infinity
Feb 11 18:52:08 sudo[5079] user_info: rlimit_stack=8388608,infinity
Feb 11 18:52:08 sudo[5079] <- sudoers_policy_deserialize_info @ ./policy.c:530 := 0
Feb 11 18:52:08 sudo[5079] -> init_vars @ ./sudoers.c:789
Feb 11 18:52:08 sudo[5079] sudoers_initlocale: user locale C, sudoers locale C
Feb 11 18:52:08 sudo[5079] set_perms: PERM_INITIAL: ruid: 10001, euid: 0, suid: 0, rgid: 10001, egid: 10001, sgid: 10001
Feb 11 18:52:08 sudo[5079] -> set_callbacks @ ./sudoers.c:1584
Feb 11 18:52:08 sudo[5079] <- set_callbacks @ ./sudoers.c:1635
Feb 11 18:52:08 sudo[5079] -> set_runaspw @ ./sudoers.c:1304
Feb 11 18:52:08 sudo[5079] <- set_runaspw @ ./sudoers.c:1327 := true
Feb 11 18:52:08 sudo[5079] <- init_vars @ ./sudoers.c:878 := true
Feb 11 18:52:08 sudo[5079] set_perms: PERM_ROOT: uid: [10001, 0, 0] -> [0, 0, 0]
Feb 11 18:52:08 sudo[5079] PERM_ROOT: setresuid(0, -1, -1): Operation not permitted @ set_perms() ./set_perms.c:361
Feb 11 18:52:08 sudo[5079] <- sudoers_init @ ./sudoers.c:193 := -1
> Perhaps PHP runs commands in a sandbox (using seccomp or something
> similar) that disables changing the uid?
I don't know :( Will check this.
> You should check the audit
> log (if it exists) to see if there is anything relevant in it.
Auth log does not have any info about this events ( usually any sudo events are passed here )
Audit log is not present.
> It is also possible that AppArmor is interfering with sudo. You
> can run "aa-status" as root to see whether it is enabled (assuming
> it is even installed). The audit log should also contain information
> about AppArmor if it is getting in the way.
No, apparmor was removed imiddiately after 4.19 kernel was installed.
--
С уважением,
Dima mailto:dgoncharuk at neocm.com
More information about the sudo-users
mailing list