15

I want to be able to restart services from a php-script. running under the www-user account.

What's the preferred way to perform these actions?

I recon I can place create a file with que'd commands, read by CRON, but the solution itches.

What I'm thinking of is a tiny service, running under root, allowing predefined "methods" so arbitrary root actions cannot be executed.

Any tool out there for this?

MadHatter
  • 79,770
  • 20
  • 184
  • 232
user65297
  • 335
  • 1
  • 12

2 Answers2

27

You could reinvent the wheel, but honestly, I use passwordless sudo for this. For example, my monitoring system needs to be able to run a command to check the hardware RAID. This requires root privilege, but I don't want to run the whole monitoring system as root, so instead I have in sudoers a line that says

nagios  ALL=(root) NOPASSWD: /usr/lib/nagios/plugins/check_md_raid

and then run the command sudo /usr/lib/nagios/plugins/check_md_raid as the monitoring user, when I need to check the RAID.

You could have a sudoers line that said

www-user    ALL=(root) NOPASSWD: /etc/rc.d/init.d/myservice

then have php execute sudo /etc/rc.d/init.d/myservice restart.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • 2
    This is the way to go IMO. I used this process for a similar task. It's been in production for over 3 years now. Nothing has ever failed and the security risk is almost non-existent as long as you protect the PHP code that triggers it properly with your application logic. – Andrew Ensley Oct 08 '11 at 16:02
  • 1
    Thanks, sudoers new to me and bang on target. @Andrew, thanks for the additional info. – user65297 Oct 08 '11 at 20:16
  • 1
    user65927, forgive me if this isn't news to you, but local etiquette is that when you have a satisfactory answer to a question you accept it by clicking on the tick outline next to it. – MadHatter Oct 08 '11 at 23:41
  • 1
    You may also need to comment out the line "Defaults requiretty" in your sudoers file. This step has gotten me a few times. (E.g. change "Defaults requiretty" to "#Defaults requiretty") – steve.lippert Oct 10 '11 at 16:13
6

Take a look at sudo: it allows to specify actions that can be performed as another user (root in your case).

You can for example add to your/etc/sudoers (don't edit the file directly use visudo)

www-user-account ALL= NOPASSWD: /usr/bin/mypredefinedaction

See man sudo for the details and syntax of the file

Matteo
  • 467
  • 3
  • 14
  • 2
    be VERY careful when you edit the `/etc/sudoers` file. If it is in any way syntactically incorrect, changing it back is a nightmare b/c you need to `sudo` back into it, but you can't b/c you just wiped out sudo. You end up having to use a rescue CD/DVD and mount the partition manually. – puk Nov 04 '11 at 07:24
  • 1
    @puk Actually to edit shudders you need root access and in case the file is damaged you can log in as root and then restore it (from a backup copy) or fix it manually. visudo also performs sanity checks on the file before writing it. – Matteo Nov 04 '11 at 10:19
  • what is `shudders`? It's true visudo does sanity checks, but they don't help after the damage is done :P – puk Nov 04 '11 at 10:24