[sudo-users] Calling sudo from PHP script under Apache httpd
Todd C. Miller
Todd.Miller at sudo.ws
Thu Feb 11 09:18:46 MST 2021
On Thu, 11 Feb 2021 11:45:28 +0200, Dima Goncharuck wrote:
> I have some problem with subj and I can't detect a source(s) of a problem(s).
>
> So, I need to run some command by php script via Apache HTTPD.
> And it's not working at all. In httpd log file (/var/log/apache/error.log) I
> can see this:
>
> sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
> sudo: unable to initialize policy plugin
>
> With turned on sudo debug I can see this (/var/log/sudo_debug.log):
The debug information you want may be in the sudoers debug log.
Try the following in your /etc/sudo.conf file.
Debug sudoers.so /var/log/sudoers_debug all at debug
I don't know why that setresuid() call would be failing. Sudo does
checks at startup to make sure it is running as root.
Perhaps PHP runs commands in a sandbox (using seccomp or something
similar) that disables changing the uid? You should check the audit
log (if it exists) to see if there is anything relevant in it.
It is also possible that AppArmor is interfering with sudo. You
can run "aa-status" as root to see whether it is enabled (assuming
it is even installed). The audit log should also contain information
about AppArmor if it is getting in the way.
- todd
More information about the sudo-users
mailing list