[sudo-users] Sudo error: unable to change to sudoers gid: Operation not permitted
Luca Lafranchi Lists
lists at idea-net.ch
Thu Jan 5 11:08:33 EST 2006
Hi,
on my CentOS 4.1 box I want to enable the user "apache" to run the command
"/usr/sbin/asterisk -rx reload".
Note: Apache 2.x it's running with "apache" user and "apache" group. All
packages original from CentOS 4.1 distribution.
With visudo I have configured out the sudoers:
***********************************************
# Host alias specification
# User alias specification
User_Alias WWW = apache
# Cmnd alias specification
Cmnd_Alias RELOAD = /usr/sbin/asterisk -rx reload
# Defaults specification
# User privilege specification
root ALL=(ALL) ALL
WWW ALL=NOPASSWD: RELOAD
**********************************************
When I login in the shell with "su apache" and run the command "sudo
/usr/sbin/asterisk -rx reload", it's work fine.
But when I run this command from a php script (called from browser), I find
the followings errors.
On /var/log/httpd/error_log I receive this message:
**********************************************
"unable to change to sudoers gid: Operation not permitted"
**********************************************
On /var/log/messages I receive this message:
**********************************************
Jan 5 16:34:28 corporate kernel: audit(1136475268.917:338): avc: denied {
setrlimit } for pid=8709 comm="sudo"
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Jan 5 16:34:28 corporate kernel: audit(1136475268.921:339): avc: denied {
read } for pid=8709 comm="sudo" name="shadow" dev=dm-0 ino=4015356
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:shadow_t tclass=file
Jan 5 16:34:28 corporate kernel: audit(1136475268.921:340): avc: denied {
read } for pid=8709 comm="sudo" name="shadow" dev=dm-0 ino=4015356
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:shadow_t tclass=file
Jan 5 16:34:28 corporate kernel: audit(1136475268.921:341): avc: denied {
setgid } for pid=8709 comm="sudo" capability=6
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
Jan 5 16:34:28 corporate kernel: audit(1136475268.922:342): avc: denied {
setuid } for pid=8709 comm="sudo" capability=7
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
Jan 5 16:34:28 corporate kernel: audit(1136475268.922:343): avc: denied {
setgid } for pid=8709 comm="sudo" capability=6
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
**********************************************
Any idea ?
Thanks
More information about the sudo-users
mailing list