即使更新了 sudoers,PHP 网页也不会启动 unix 命令
基本上我正在尝试从 php 网页重新启动服务。
这是代码:
<?php
exec ('/usr/bin/sudo /etc/init.d/portmap restart');
?>
但是,在 /var/log/httpd/error_log 中,我得到
无法更改为 sudoers gid:不允许操作
,在 /var/log/messages 中,我得到
9 月 22 日 15:01:56 ri 内核:审核(1222063316.536:777):avc:拒绝 { getattr } for pid=4851 comm="sh" name="var" dev=dm-0 ino=114241 scontext=根:system_r:httpd_sys_script_t tcontext = system_u:object_r:var_t tclass = dir
9 月 22 日 15:01:56 ri 内核:审核(1222063316.549:778):avc:拒绝 { setrlimit } for pid=4851 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=process< br> 9 月 22 日 15:01:56 ri 内核:审核(1222063316.565:779):avc:拒绝 { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r :httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=文件
9 月 22 日 15:01:56 ri 内核:审计(1222063316.568:780):avc:拒绝 { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r :httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=文件
9 月 22 日 15:01:56 ri 内核:审计(1222063316.571:781):avc:拒绝 { setgid } for pid=4851 comm="sudo"capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass =能力
9 月 22 日 15:01:56 ri 内核:审计(1222063316.574:782):avc:拒绝 { setuid } for pid=4851 comm="sudo"capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass =能力
9 月 22 日 15:01:56 ri 内核:审计(1222063316.577:783):avc:拒绝 { setgid } for pid=4851 comm="sudo"capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass =能力
在我的 visudo 中,我添加了这些行
User_Alias WWW=apache
WWW ALL=(全部)NOPASSWD:全部
你能帮我吗? 难道我做错了什么 ?
感谢您的帮助,
tiBoun
Basically I am trying to restart a service from a php web page.
Here is the code:
<?php
exec ('/usr/bin/sudo /etc/init.d/portmap restart');
?>
But, in /var/log/httpd/error_log, I get
unable to change to sudoers gid: Operation not permitted
and in /var/log/messages, I get
Sep 22 15:01:56 ri kernel: audit(1222063316.536:777): avc: denied { getattr } for pid=4851 comm="sh" name="var" dev=dm-0 ino=114241 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_t tclass=dir
Sep 22 15:01:56 ri kernel: audit(1222063316.549:778): avc: denied { setrlimit } for pid=4851 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=process
Sep 22 15:01:56 ri kernel: audit(1222063316.565:779): avc: denied { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
Sep 22 15:01:56 ri kernel: audit(1222063316.568:780): avc: denied { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
Sep 22 15:01:56 ri kernel: audit(1222063316.571:781): avc: denied { setgid } for pid=4851 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 22 15:01:56 ri kernel: audit(1222063316.574:782): avc: denied { setuid } for pid=4851 comm="sudo" capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 22 15:01:56 ri kernel: audit(1222063316.577:783): avc: denied { setgid } for pid=4851 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
In my visudo, I added those lines
User_Alias WWW=apache
WWW ALL=(ALL) NOPASSWD:ALL
Can you please help me ? Am I doing something wrong ?
Thanks for your help,
tiBoun
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
目前问题不在于 sudo,而在于 SELinux,它(合理地)设置为拒绝 HTTPD 获取 root 权限。
您需要明确允许此操作(您可以使用 audit2allow 来实现此目的),或者将 SELinux 设置为相反,要宽容。 我建议前者。
The problem is not with sudo at the moment, but with SELinux, which is (reasonably) set to deny the HTTPD from gaining root privileges.
You will need to either explicitly allow this (you can use audit2allow for this), or set SELinux to be permissive instead. I'd suggest the former.
您收到的错误似乎与您的 SELinux 配置有关。 您可以尝试暂时禁用该功能。
顺便说一句,我强烈建议您调整 sudo 配置以使其更具限制性。
The error you are getting seems to be related to your SELinux configuration. You might try temporarily disabling that.
As an aside, I would strongly suggest that you adjust your sudo configuration to be more restrictive.
我最近遇到了这个问题,上面接受的答案有帮助。 但是,我想发布这个答案来详细说明相同的内容,以便下一个人不需要花费太多时间,就像我一样!
请遵循以下链接的第 7 部分:https://wiki.centos.org/HowTos/SELinux 。
使用
httpd_sys_script_t执行 grep。基本上步骤是:
I encountered the problem recently and the accepted answer above helped. However, I would like to post this answer to elaborate the same, so that the next person does not need to spend time much, like me!
Follow section 7 of the following link: https://wiki.centos.org/HowTos/SELinux.
Do grep with
httpd_sys_script_t.Basically the steps are:
这可能是由于尝试在非交互式 shell 中执行 sudo 之类的原因。
如果您在 apache 用户邮件日志中对“sudo”执行 grep,您可能会发现类似这样的内容
This is probably down to something like trying to execute sudo in a non-interactive shell.
If you do a grep for 'sudo' in your apache users mail log you might find things like this