CENTOS apache ALL=(root) NOPASSWD: /path/to/shell.sh is not working

Question

Trying to do a web interface IPtables management.

Created a file test.php

$output = shell_exec('sudo bash /usr/bin/iptables.sh 2>&1');
echo $output;

Gave /usr/bin/iptables.sh NOPASSWD so I can execute the file with sudo through apache without using a password

sudo iptables -L

sudoers file :

apache ALL=(root) NOPASSWD: /usr/bin/iptables.sh

But I am still getting error

We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper{"mode":"full","isActive":false}

However, if I use

apache ALL=(root) NOPASSWD: ALL

Everything works fine.

I double-checked my directory and I used the exact path

[root@CentOS bin]# readlink -f iptables.sh
/usr/bin/iptables.sh

Super clueless here, can anyone help me with a direction? :'(

score 1 · Accepted Answer · answered Jul 25 '21 at 17:52

1

The command you call with sudo must match what is in the sudoers file, but in your case they do not match.

You tried to run bash /usr/bin/iptables.sh, but sudoers only allows you to run /usr/bin/iptables.sh.

answered Jul 25 '21 at 17:52

Michael Hampton

244,070
43
506
972

I am confused, how am I supposed to execute the script in this case? Do I have to add bash to sudoers? – alvan Jul 25 '21 at 18:47
@alvan Why do you have `bash` in there at all? It is redundant. You can do what you want but the important bit is that **they must match exactly**. – Michael Hampton Jul 25 '21 at 18:49
Oh, Oh my god. $output = shell_exec("sudo /usr/bin/iptables.sh 2>&1'"); This actually worked – alvan Jul 25 '21 at 18:53
Thank you so much Michael!! – alvan Jul 25 '21 at 18:55

score 0 · Answer 2 · answered Jul 25 '21 at 16:56

0

Try with sudo, since /usr/bin/iptables.sh references to root of root.

$output = shell_exec("sudo -u root sh -c 'bash /usr/bin/iptables.sh 2>&1'");
echo $output;

answered Jul 25 '21 at 16:56

Ajay Singh

297
1
3
13

No luck, the php doesn't output anything in this case. But when I change the sudoers file to ALL, this works – alvan Jul 25 '21 at 17:34
@alvan have you tried above code without nopassword in sudoers like -> apache ALL=(root) /usr/bin/iptables.sh ; What is the output of – Ajay Singh Jul 25 '21 at 17:56
it is apache 15 characters – alvan Jul 25 '21 at 18:48

CENTOS apache ALL=(root) NOPASSWD: /path/to/shell.sh is not working

2 Answers2