Why Apache can run a command and root cannot?

Question

I have a server-side script executed by Apache running as www-data. The script runs fine on the server when called remotely (http://example.com/script.sh).

I am trying to run the same script on the same server as root, impersonificating www-data. It does not, even su www-data -c 'id' or runuser -l www-data -c 'id' fails with

This account is currently not available.
2016 Nov  4 09:45:54 eu1 Attempted login by root on /dev/pts/0

This account is indeed locked from interactive login (which is normal):

# grep www-data /etc/shadow
www-data:*:15246:0:99999:7:::
# grep www-data /etc/passwd
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

Since Apache manages to run something as www-data then root ought to be able to do the same. How to do that?

score 4 · Accepted Answer · answered Nov 04 '16 at 09:52

4

try

su -s /bin/bash www-data -c

Since www-data has no shell, you have to specify one with the -soption.

answered Nov 04 '16 at 09:52

mzhaase

3,798
2
20
32

Why Apache can run a command and root cannot?

1 Answers1