0

I want allow PHP script to execute external command with another user with exec. For this, I call my command like :

exec('sudo -u username /usr/bin/command -a arg1 --arg2 arg2');

In sudoers rules, I have added :

apache                  ALL=(username)NOPASSWD:   /usr/bin/command

Command send TCP paquets. When SELinux is disable, it's work.

To allow SELinux, I have enable, by setroubleshoot rapport :

  • httpd_setrlimit -- why apache want change limit for execute simple command ??
  • httpd_mod_auth_pam -- Ok, apache can use pam, why not.
  • httpd_unified -- why apache want to access memcache ??

But, even after that, after log analyse, I have "unix_chkpwd" and, to terminate the SELinux configuration, apache need to read shadow file.

ausearch -c 'unix_chkpwd' -ts recent --raw | audit2allow

#============= httpd_t ==============
allow httpd_t chkpwd_t:process { noatsecure rlimitinh siginh };
allow httpd_t shadow_t:file { getattr open read };

It's really necessary to add this module ? It's not possible to execute a simple command with another user executed by apache ?

How optimise my SELinux configuration for this simple action ?

Best regards,

user5525652
  • 157
  • 1
  • 4
  • 14

1 Answers1

0

In my RHEL7 test virtual machine, setting the boolean httpd_mod_auth_pam allowed a PHP script to invoke sudo and execute a command as a different Linux user and unchanged SELinux context:

<?php
passthru ('sudo -u username id 2>&1');

uid=1001(username) gid=1001(username) groups=1001(username) context=system_u:system_r:httpd_t:s0

According to (this reference), the only confined SELinux users who are allowed to transition to different SELinux contexts using sudo are sysadm_u and staff_u. I could not find a straightforward way to grant such permission to system_u, used by Apache process.

Setting the boolean httpd_can_network_connect may be an option. It would allow your custom command to work, however it would allow any PHP script running under Apache context to create arbitrary TCP connections too.

Anderson Medeiros Gomes
  • 2,477
  • 9
  • 20