shell_exec("journalctl"); permissions

Question

I'm trying to get log messages from journalctl from PHP, but getting an error - "Hint: You are currently not seeing messages from other users and the system. Users in the 'systemd-journal' group can see all messages."

shell_exec('whoami') //shows "admin"

Tried to put into /etc/sudoers.d/admin these lines one by one but none of them worked

%admin ALL=(root) NOPASSWD: /usr/sbin/journalctl
admin ALL=NOPASSWD: /usr/sbin/journalctl
%admin ALL=(ALL) ALL
www-data ALL=NOPASSWD: ALL

shell_exec("sudo -l"); - doesn't indicate that this privilege has been granted

How can I grant privilege to php shell_exec sudo on CENTOS 7 to get this request?

@MarkusZeller I run it from a web interface through a browser — serguei, Sep 12 '22 at 10:56
Then you must grant access to the www-data user (default on apache). — Markus Zeller, Sep 12 '22 at 12:26
@MarkusZeller it tried "www-data ALL=NOPASSWD: ALL" but surprisingly it didn't work. if I want only journalctl is it something like this "www-data ALL=NOPASSWD: /usr/sbin/journalctl -u mariadb -n"? — serguei, Sep 12 '22 at 14:23
Look here for some details: https://unix.stackexchange.com/questions/115054/php-shell-exec-permission-on-linux-ubuntu — Markus Zeller, Sep 12 '22 at 15:43
@MarkusZeller thank you. But is it OK I get "admin" from running shell_exec('whoami')? — serguei, Sep 12 '22 at 17:26
Also look here: https://stackoverflow.com/questions/28548743/php-get-current-user-vs-execwhoami — Markus Zeller, Sep 12 '22 at 17:45
Check if SELinux is running. Look for any SELinux warning in /var/log/messages or /var/log/secure or /var/log/audit/audit.log — Niraj Nandane, Sep 13 '22 at 11:31
@MarkusZeller in my httpd.conf under User/Group I have "apache" and in phpinfo() under apache2handler I have "apache(48)/48". probably I need to use "apache ALL=NOPASSWD: /usr/sbin/journalctl"? — serguei, Sep 13 '22 at 12:03
@NirajNandane thank you. it worked. I can see this line from shell_exec("sudo -l"). But I'm still getting an error from journalctl. I'll try to find out what's wrong with journalctl. — serguei, Sep 13 '22 at 16:57
@NirajNandane "Users in the 'systemd-journal' group can see all messages." tried changing "Storage=auto" to "Storage=persistent" on /etc/systemd/journald.conf. but no luck — serguei, Sep 15 '22 at 18:37

Niraj Nandane · Answer 1 · 2022-09-19T04:13:47.427

0

Add admin ALL=(ALL) NOPASSWD: ALL and Defaults:admin !requiretty in /etc/sudoers to get this working.

edited Sep 19 '22 at 04:13

answered Sep 15 '22 at 13:34

Niraj Nandane

1,318
1
13
24

now it's working from SSH under admin, but doesn't work from shell_exec from php. I get same results running " id admin" "uid=1001(admin) gid=1001(admin) groups=1001(admin),190(systemd-journal)" so it's some php shell_exec bug – serguei Sep 15 '22 at 18:56
Can you please try this `admin ALL=(ALL) NOPASSWD: ALL` – Niraj Nandane Sep 19 '22 at 04:08
Also try adding this in /etc/sudoers. `Defaults:admin !requiretty` – Niraj Nandane Sep 19 '22 at 04:13

shell_exec("journalctl"); permissions

1 Answers1