[sudo-users] Sudo error: unable to change to sudoers gid: Operation not permitted

Luca Lafranchi Lists lists at idea-net.ch
Thu Jan 5 11:08:33 EST 2006 

Hi, 

on my CentOS 4.1 box I want to enable the user "apache" to run the command
"/usr/sbin/asterisk -rx reload".

 

Note: Apache 2.x it's running with "apache" user and "apache" group. All
packages original from CentOS 4.1 distribution.

 

With visudo I have configured out the sudoers:

***********************************************

# Host alias specification

 

# User alias specification

User_Alias WWW = apache

 

# Cmnd alias specification

Cmnd_Alias RELOAD = /usr/sbin/asterisk -rx reload

 

# Defaults specification

 

# User privilege specification

root    ALL=(ALL) ALL

WWW     ALL=NOPASSWD: RELOAD

**********************************************

 

When I login in the shell with "su apache" and run the command "sudo
/usr/sbin/asterisk -rx reload", it's work fine.

 

But when I run this command from a php script (called from browser), I find
the followings errors.

 

On /var/log/httpd/error_log I receive this message:

 

**********************************************

"unable to change to sudoers gid: Operation not permitted"

**********************************************

 

 

On /var/log/messages I receive this message:

 

**********************************************

Jan  5 16:34:28 corporate kernel: audit(1136475268.917:338): avc:  denied  {
setrlimit } for  pid=8709 comm="sudo"
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=process

Jan  5 16:34:28 corporate kernel: audit(1136475268.921:339): avc:  denied  {
read } for  pid=8709 comm="sudo" name="shadow" dev=dm-0 ino=4015356
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:shadow_t tclass=file

Jan  5 16:34:28 corporate kernel: audit(1136475268.921:340): avc:  denied  {
read } for  pid=8709 comm="sudo" name="shadow" dev=dm-0 ino=4015356
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:shadow_t tclass=file

Jan  5 16:34:28 corporate kernel: audit(1136475268.921:341): avc:  denied  {
setgid } for  pid=8709 comm="sudo" capability=6
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability

Jan  5 16:34:28 corporate kernel: audit(1136475268.922:342): avc:  denied  {
setuid } for  pid=8709 comm="sudo" capability=7
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability

Jan  5 16:34:28 corporate kernel: audit(1136475268.922:343): avc:  denied  {
setgid } for  pid=8709 comm="sudo" capability=6
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability

**********************************************

 

Any idea ?

 

Thanks

More information about the sudo-users mailing list