[sudo-users] Calling sudo from PHP script under Apache httpd
Manner Róbert
rmanni at gmail.com
Thu Feb 11 03:59:24 MST 2021
Hi,
Since audit plugin open fails, you might want to check the logs of that
also, that seems to be under /var/log/sudo_plugin.log in your config.
Just an idea: a difference might be some selinux rules limiting what
apache service is allowed to do?
Robi
On 2/11/21 10:45 AM, Dima Goncharuck wrote:
> Hi All,
>
> I have some problem with subj and I can't detect a source(s) of a problem(s).
>
> So, I need to run some command by php script via Apache HTTPD.
> And it's not working at all. In httpd log file (/var/log/apache/error.log) I can see this:
>
> sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
> sudo: unable to initialize policy plugin
>
> With turned on sudo debug I can see this (/var/log/sudo_debug.log):
>
> Feb 10 13:28:31 sudo[30657] parse_variable: /etc/sudo.conf:3: Set disable_coredump false
> Feb 10 13:28:31 sudo[30657] get_user_groups: got 1 groups via getgroups()
> Feb 10 13:28:31 sudo[30657] unable to resolve tty via /proc/self/stat: No such file or directory @ get_process_ttyname() ./ttyname.c:269
> Feb 10 13:28:31 sudo[30657] -> sudo_load_plugins @ ./load_plugins.c:482
> Feb 10 13:28:31 sudo[30657] -> sudo_load_plugin @ ./load_plugins.c:272
> Feb 10 13:28:31 sudo[30657] -> sudo_check_plugin @ ./load_plugins.c:112
> Feb 10 13:28:31 sudo[30657] -> sudo_stat_plugin @ ./load_plugins.c:46
> Feb 10 13:28:31 sudo[30657] <- sudo_stat_plugin @ ./load_plugins.c:104 := 0
> Feb 10 13:28:31 sudo[30657] <- sudo_check_plugin @ ./load_plugins.c:144 := true
> Feb 10 13:28:31 sudo[30657] -> fill_container @ ./load_plugins.c:160
> Feb 10 13:28:31 sudo[30657] <- fill_container @ ./load_plugins.c:177 := true
> Feb 10 13:28:31 sudo[30657] <- sudo_load_plugin @ ./load_plugins.c:365 := true
> Feb 10 13:28:31 sudo[30657] -> sudo_load_plugin @ ./load_plugins.c:272
> Feb 10 13:28:31 sudo[30657] -> sudo_check_plugin @ ./load_plugins.c:112
> Feb 10 13:28:31 sudo[30657] -> sudo_stat_plugin @ ./load_plugins.c:46
> Feb 10 13:28:31 sudo[30657] <- sudo_stat_plugin @ ./load_plugins.c:104 := 0
> Feb 10 13:28:31 sudo[30657] <- sudo_check_plugin @ ./load_plugins.c:144 := true
> Feb 10 13:28:31 sudo[30657] -> sudo_insert_plugin @ ./load_plugins.c:242
> Feb 10 13:28:31 sudo[30657] -> plugin_exists @ ./load_plugins.c:204
> Feb 10 13:28:31 sudo[30657] <- plugin_exists @ ./load_plugins.c:210 := false
> Feb 10 13:28:31 sudo[30657] -> new_container @ ./load_plugins.c:185
> Feb 10 13:28:31 sudo[30657] -> fill_container @ ./load_plugins.c:160
> Feb 10 13:28:31 sudo[30657] <- fill_container @ ./load_plugins.c:177 := true
> Feb 10 13:28:31 sudo[30657] <- new_container @ ./load_plugins.c:194 := 0x564fcf853480
> Feb 10 13:28:31 sudo[30657] <- sudo_insert_plugin @ ./load_plugins.c:259 := true
> Feb 10 13:28:31 sudo[30657] <- sudo_load_plugin @ ./load_plugins.c:365 := true
> Feb 10 13:28:31 sudo[30657] -> sudo_load_plugin @ ./load_plugins.c:272
> Feb 10 13:28:31 sudo[30657] -> sudo_check_plugin @ ./load_plugins.c:112
> Feb 10 13:28:31 sudo[30657] -> sudo_stat_plugin @ ./load_plugins.c:46
> Feb 10 13:28:31 sudo[30657] <- sudo_stat_plugin @ ./load_plugins.c:104 := 0
> Feb 10 13:28:31 sudo[30657] <- sudo_check_plugin @ ./load_plugins.c:144 := true
> Feb 10 13:28:31 sudo[30657] -> sudo_insert_plugin @ ./load_plugins.c:242
> Feb 10 13:28:31 sudo[30657] -> plugin_exists @ ./load_plugins.c:204
> Feb 10 13:28:31 sudo[30657] <- plugin_exists @ ./load_plugins.c:210 := false
> Feb 10 13:28:31 sudo[30657] -> new_container @ ./load_plugins.c:185
> Feb 10 13:28:31 sudo[30657] -> fill_container @ ./load_plugins.c:160
> Feb 10 13:28:31 sudo[30657] <- fill_container @ ./load_plugins.c:177 := true
> Feb 10 13:28:31 sudo[30657] <- new_container @ ./load_plugins.c:194 := 0x564fcf8534d0
> Feb 10 13:28:31 sudo[30657] <- sudo_insert_plugin @ ./load_plugins.c:259 := true
> Feb 10 13:28:31 sudo[30657] <- sudo_load_plugin @ ./load_plugins.c:365 := true
> Feb 10 13:28:31 sudo[30657] -> plugin_exists @ ./load_plugins.c:204
> Feb 10 13:28:31 sudo[30657] <- plugin_exists @ ./load_plugins.c:208 := true
> Feb 10 13:28:31 sudo[30657] -> sudo_init_event_alloc @ ./load_plugins.c:424
> Feb 10 13:28:31 sudo[30657] <- sudo_init_event_alloc @ ./load_plugins.c:438
> Feb 10 13:28:31 sudo[30657] -> sudo_register_hooks @ ./load_plugins.c:386
> Feb 10 13:28:31 sudo[30657] <- sudo_register_hooks @ ./load_plugins.c:417
> Feb 10 13:28:31 sudo[30657] <- sudo_load_plugins @ ./load_plugins.c:548 := true
> Feb 10 13:28:31 sudo[30657] settings: progname=sudo
> Feb 10 13:28:31 sudo[30657] settings: network_addrs=192.168.255.4/255.255.255.240 192.168.88.166/255.255.255.0
> Feb 10 13:28:31 sudo[30657] settings: plugin_dir=/usr/lib/sudo/
> Feb 10 13:28:31 sudo[30657] error initializing audit plugin sudoers_audit @ audit_open() ./sudo.c:1591
>
> In case I'm starting this command form a shell - everything is ok. It's looks like this:
>
> root at bl:/home/user# su - ubill
> ubill at bl:~$ sudo ping -i 0.01 -c 5 ukr.net
> PING ukr.net (212.42.76.252) 56(84) bytes of data.
> 64 bytes from srv252.fwdcdn.com (212.42.76.252): icmp_seq=1 ttl=59 time=33.4 ms
> 64 bytes from srv252.fwdcdn.com (212.42.76.252): icmp_seq=2 ttl=59 time=33.4 ms
> 64 bytes from srv252.fwdcdn.com (212.42.76.252): icmp_seq=3 ttl=59 time=33.3 ms
> 64 bytes from srv252.fwdcdn.com (212.42.76.252): icmp_seq=4 ttl=59 time=33.6 ms
> 64 bytes from srv252.fwdcdn.com (212.42.76.252): icmp_seq=5 ttl=59 time=33.3 ms
>
> --- ukr.net ping statistics ---
> 5 packets transmitted, 5 received, 0% packet loss, time 116ms
> rtt min/avg/max/mdev = 33.352/33.442/33.622/0.191 ms, pipe 3
> ubill at bl:~$ exit
> exit
> root at bl:/home/user#
>
>
> My system is :
>
> root at bl:/home/user# uname -a
> Linux bl 4.19.0-0.bpo.13-amd64 #1 SMP Debian 4.19.160-2~deb9u1 (2020-12-05) x86_64 GNU/Linux
> root at bl:/home/user# cat /etc/debian_version
> 9.13
> root at bl:/home/user# apachectl -v
> Server version: Apache/2.4.25 (Debian)
> Server built: 2019-10-13T15:43:54
>
>
> root at bl:/home/user# php -v
> PHP 7.0.33-0+deb9u10 (cli) (built: Oct 6 2020 17:08:28) ( NTS )
> Copyright (c) 1997-2017 The PHP Group
> Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
> with Zend OPcache v7.0.33-0+deb9u10, Copyright (c) 1999-2017, by Zend Technologies
>
>
> root at bl:/home/user#sudo -V
> Sudo version 1.9.5p2
> Configure options: --prefix=/usr --with-all-insults --with-pam --enable-zlib=system --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p: --disable-root-mailer --with-sendmail=/usr/sbin/sendmail --mandir=/usr/share/man --libexecdir=/usr/lib --with-selinux --with-linux-audit --enable-warnings --enable-package-build --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --enable-openssl --enable-python --disable-tmpfiles.d
> Sudoers policy plugin version 1.9.5p2
> Sudoers file grammar version 48
>
> Sudoers path: /etc/sudoers
> Authentication methods: 'pam'
> Syslog facility if syslog is being used for logging: authpriv
> Syslog priority to use when user authenticates successfully: notice
> Syslog priority to use when user authenticates unsuccessfully: alert
> Send mail if user authentication fails
> Send mail if the user is not in sudoers
> Lecture user the first time they run sudo
> Require users to authenticate by default
> Root may run sudo
> Allow some information gathering to give useful error messages
> Require fully-qualified hostnames in the sudoers file
> Visudo will honor the EDITOR environment variable
> Set the LOGNAME and USER environment variables
> Length at which to wrap log file lines (0 for no wrap): 80
> Authentication timestamp timeout: 15.0 minutes
> Password prompt timeout: 0.0 minutes
> Number of tries to enter a password: 3
> Umask to use or 0777 to use user's: 022
> Path to mail program: /usr/sbin/sendmail
> Flags for mail program: -t
> Address to send mail to: root
> Subject line for mail messages: *** SECURITY information for %h ***
> Incorrect password message: Sorry, try again.
> Path to lecture status dir: /var/lib/sudo/lectured
> Path to authentication timestamp dir: /run/sudo/ts
> Default password prompt: [sudo] password for %p:
> Default user to run commands as: root
> Value to override user's $PATH with: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> Path to the editor for use by visudo: /usr/bin/editor
> When to require a password for 'list' pseudocommand: any
> When to require a password for 'verify' pseudocommand: all
> File descriptors >= 3 will be closed before executing a command
> Reset the environment to a default set of variables
> Environment variables to check for safety:
> TZ
> TERM
> LINGUAS
> LC_*
> LANGUAGE
> LANG
> COLORTERM
> Environment variables to remove:
> *=()*
> RUBYOPT
> RUBYLIB
> PYTHONUSERBASE
> PYTHONINSPECT
> PYTHONPATH
> PYTHONHOME
> TMPPREFIX
> ZDOTDIR
> READNULLCMD
> NULLCMD
> FPATH
> PERL5DB
> PERL5OPT
> PERL5LIB
> PERLLIB
> PERLIO_DEBUG
> JAVA_TOOL_OPTIONS
> SHELLOPTS
> BASHOPTS
> GLOBIGNORE
> PS4
> BASH_ENV
> ENV
> TERMCAP
> TERMPATH
> TERMINFO_DIRS
> TERMINFO
> _RLD*
> LD_*
> PATH_LOCALE
> NLSPATH
> HOSTALIASES
> RES_OPTIONS
> LOCALDOMAIN
> CDPATH
> IFS
> Environment variables to preserve:
> XAUTHORIZATION
> XAUTHORITY
> PS2
> PS1
> PATH
> LS_COLORS
> KRB5CCNAME
> HOSTNAME
> DISPLAY
> COLORS
> Locale to use while parsing sudoers: C
> Log user's input for the command being run
> Log the output of the command being run
> Compress I/O logs using zlib
> Directory in which to store input/output logs: /var/log/sudo-io
> File in which to store the input/output log: %{seq}
> Add an entry to the utmp/utmpx file when allocating a pty
> PAM service name to use: sudo
> PAM service name to use for login shells: sudo
> Attempt to establish PAM credentials for the target user
> Create a new PAM session for the command to run in
> Perform PAM account validation management
> Enable sudoers netgroup support
> Check parent directories for writability when editing files with sudoedit
> Allow commands to be run even if sudo cannot write to the audit log
> Allow commands to be run even if sudo cannot write to the log file
> Log entries larger than this value will be split into multiple syslog messages: 960
> File mode to use for the I/O log files: 0600
> Execute commands by file descriptor instead of by path: digest_only
> Type of authentication timestamp record: tty
> Ignore case when matching user names
> Ignore case when matching group names
> Log when a command is allowed by sudoers
> Log when a command is denied by sudoers
> Sudo log server timeout in seconds: 30
> Enable SO_KEEPALIVE socket option on the socket connected to the logserver
> Verify that the log server's certificate is valid
> Set the pam remote user to the user running sudo
> The format of logs to produce: sudo
> Enable SELinux RBAC support
>
> Local IP address and netmask pairs:
> 192.168.255.4/255.255.255.240
> 192.168.88.166/255.255.255.0
>
> Sudoers I/O plugin version 1.9.5p2
> Sudoers audit plugin version 1.9.5p2
>
>
> !!!!!!! sudo binaries was downloades from www.sudo.ws ( latest stable for Debian Stretch )
> !!!!!!! Native Debian package 1.8.19.p2 also has the same problem.
>
>
> root at bl:/home/user# cat /etc/sudoers
> #
> # This file MUST be edited with the 'visudo' command as root.
> #
> # Please consider adding local content in /etc/sudoers.d/ instead of
> # directly modifying this file.
> #
> # See the man page for details on how to write a sudoers file.
> #
> Defaults env_reset
> Defaults mail_badpass
> Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
> Defaults log_input
> Defaults log_output
>
>
> # Host alias specification
>
> # User alias specification
>
> # Cmnd alias specification
>
> # User privilege specification
> root ALL=(ALL:ALL) ALL
>
> # Allow members of group sudo to execute any command
> %sudo ALL=(ALL:ALL) ALL
>
> User_Alias BILLING = ubill,www-data
> BILLING ALL = (ALL:ALL) NOPASSWD: ALL
>
> # See sudoers(5) for more information on "#include" directives:
>
> #includedir /etc/sudoers.d
>
> root at bl:/home/user# cat /etc/sudo.conf
> Debug sudo /var/log/sudo_debug.log all at info,plugin at debug
> Debug sudoers /var/log/sudo_plugin.log all at info,plugin at debug
> Set disable_coredump false
> Plugin sudoers_policy sudoers.so
> Plugin sudoers_io sudoers.so
> Plugin sudoers_audit sudoers.so
>
> Can someone help to understand what is wrong ?
>
>
More information about the sudo-users
mailing list