0

I want to allow run specify command on my website, through PHP exec() function, so i found the way, to add www-data in sudoers.d files to allow run specify commands without asking password.

I tried next things:

  1. check where is program catalogue whereis hashcat -> hashcat: /usr/bin/hashcat
  2. Add a new file to sudo visudo /etc/sudoers.d/www-data and add next line www-data ALL=(www-data:www-data)NOPASSWD: /user/bin/hashcat
  3. Try to run it through www-data: sudo -u www-data sudo hashcat And then i get this: [sudo] password for www-data:, that means it doesn't seems to work

What can i do wrong, and what i should do then? And is my decision to do so correct? Is there a better and safer solution?

cyberbrain
  • 3,433
  • 1
  • 12
  • 22
mixamm
  • 19
  • 1
  • 6
  • Are you sure it's "/user/bin/hashcat" - with user instead of usr - in your /etc/sudoers.d/www-data file? In your question you showed, that hashcat is located in /usr/bin. Also: are you sure that hashcat needs to run as root? Why can't it simply be executed as www-data? – cyberbrain Jan 27 '22 at 17:28
  • Although the end result is might be that you can run shell commands using your webserver, what this really is, is giving the web server's account and **all** scripts it may run, permission to run as root on your server. This scares me. If you can, try relaxing the permissions on the specific command(s) you need to run. Or, consider building a simple queue (just a database or text file even) that your web submits to, and have a daemon (cron, service supervisord, etc.) read the queue and execute safe-listed sets of commands elevated. – Chris Haas Jan 27 '22 at 17:46
  • If you do the latter (which sounds complicated but isn't really too much), make sure you don't make it too "smart" where you can pass dynamic things for it to interpret, otherwise you'll be making another Log4J. – Chris Haas Jan 27 '22 at 17:47
  • @cyberbrain - Yes, it was /usr/, sorry for that, edit the answer. When i try to execute this without root, it says "Permission denied", so it worked with sudo – mixamm Jan 28 '22 at 03:28
  • @ChrisHaas - And if that was a little bit unsecure, i want to add only one command (sudo hashcat) to execute with www-data – mixamm Jan 28 '22 at 03:30

1 Answers1

1

That problem is solved, by removing the (www-data:www-data) so my "www-data: file in sudoers.d looks like: www-data ALL=NOPASSWD: /usr/bin/hashcat Thanks all for answering and give me a hint to solve this! Especially thanks to @cyberbrain for my carelessness!

mixamm
  • 19
  • 1
  • 6