0

I want to give one of the web developers testuser permission to set his own .htpasswd password using the /usr/bin/htpasswd command on the web server 'mywebserver'.

The web server tree belongs to the wwwadmin user, who therefore owns the .htpasswd file in the web root and is able to run htpasswd routinely.

In my understanding of sudo the next line in /etc/sudoers of the web server (stock Apache, CentOS 6) should do the job:

testuser        mywebserver=(wwwadmin) /usr/bin/htpasswd

The truth is that whenever the user testuser runs:

sudo /usr/bin/htpasswd .htpasswd someusername

the command is rejected with: [sudo] password for testuser: Sorry, user testuser is not allowed to execute '/usr/bin/htpasswd' as root on mywebsever.mydomain.com.

The log /var/log/secure shows:

Apr 1 17:13:51 mywebserver sudo: testuser : command not allowed ; TTY=pts/2 ; PWD=/var/www/html ; USER=root ; COMMAND=/usr/bin/htpasswd .htpasswd someusername

I'm baffled an have spent hours digging here and elsewhere on hints on why this happens (and why is root mentioned as user instead of wwwadmin).

Any clues would be appreciated!

user67073
  • 19
  • 2

2 Answers2

2

Reading the documentation answers your questions

-u user, --user=user Run the command as a user other than the default target user (usually root). The user may be either a user name or a numeric user ID (UID) prefixed with the ‘#’ character (e.g. #0 for UID 0). When running commands as a UID, many shells require that the ‘#’ be escaped with a backslash (‘\’). Some security policies may restrict UIDs to those listed in the password database. The sudoers policy allows UIDs that are not in the password database as long as the targetpw option is not set. Other security policies may not support this.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • Thanks for your answer - obviously I was looking in the wrong place, thinking of a misunderstanding of sudoers. – user67073 Apr 04 '16 at 18:25
0

You are giving testuser the privileges to run /usr/bin/htpasswd on mywebserver as the wwwadmin user but when you actually run the sudo command you are not specifying what user to run it as as a result it defaults to root.

Try this:

sudo -u wwwadmin /usr/bin/htpasswd

digitaladdictions
  • 1,505
  • 1
  • 12
  • 30