-5

I want to give PHP access to a very specific script using a configuration under /etc/sudoers.d.

So I did the following:

visudo -f /etc/sudoers.d/99-php

And entered this sudo rule:

www-data ALL = (root) NOPASSWD: /etc/my_script.sh

Inside the /etc/my_script.sh script I create a folder and a few files under /tmp before deleting them again.

To test:

su www-data
/etc/my_script.sh

This gives me a lot of permission errors like this:

rm: cannot remove «/tmp/my_file.txt»: Access denied

Suggesting that my script is not actually run as root at all.

So what can I do to get this working?

Mr. Developerdude
  • 183
  • 1
  • 10

2 Answers2

6

You have to run the command using sudo. 

sudo /etc/my_script.sh

Editing the suduoers file doesn't mean each invocation of the script runs as root, merely that they are permitted to do so if invoked correctly.

Whether it makes any sense to put a shell script in /etc is a separate question.

dmourati
  • 25,540
  • 2
  • 42
  • 72
2

Firstly, as dmourati said, you'd still need to invoke the script with sudo, not just run it.

Second, you really shouldn't put scripts in /etc - especially not if those scripts are supposed to be run by the webserver.

Thirdly, giving a user access to run a shell script as root pretty much equals giving them full root. It's far too easy to escape to the shell once you've got this much sudo access. Instead of putting the entire shell script in the sudoers file, you should figure out which specific commands within the shell scripts require root privileges and change the script to call those specific commands with sudo. In other words, within the script where you've now got a line saying

rm /tmp/myfile.txt

it should say

sudo rm /tmp/myfile.txt

And the corresponding sudoers line should be

www-data ALL = (root) NOPASSWD: rm /tmp/myfile.txt
Community
  • 1
Jenny D
  • 27,780
  • 21
  • 75
  • 114