以 root 身份从 PHP/Apache、exec() 或 system() 程序：“sudo：无法打开审核系统：权限被拒绝”

发布于 2024-12-03 08:16:12 字数 1381 浏览 1 评论 0原文

我花了半天时间试图弄清楚这个问题，并且做了很多研究。我也熟悉有关该主题的许多现有讨论，例如：如何以 root 身份运行 PHP exec()？

不幸的是，没有我发现的建议似乎对我有用。

首先，我正在根据规范编写一些内容，所以我无法避免这样做。此外，所有计算机都将存在于未连接到互联网的专用网络上。虽然拥有一定的安全性很重要，但最重要的是防止错误。我的目标是配置一些“瘦服务器”。通过 PHP 脚本，我需要能够更改网络配置（静态或 DHCP）并重新启动网络。

我尝试的第一件事是编写一个SUID root 的C 程序。它读取、修改和写入网络配置文件。如果我以普通用户身份运行它，它工作得很好，并且可以访问和修改 root 拥有的文件。但如果我从 PHP 脚本运行它，则会出现访问错误。看来 Apache 以某种方式阻止了 SUID root。

根据其他讨论的建议，我尝试了“sudo”方法。我暂时将其添加到 /etc/sudoers 中： apache ALL=(ALL) NOPASSWD: ALL

我得到的错误是这样的： sudo: 无法打开审核系统: 权限被拒绝

根据俄语的此页面，发生这种情况是因为 RHEL（我使用的是 Fedora）等系统默认为 sudoers 的 requiretty。所以我将这一行添加到 /etc/sudoers 中：默认 !requiretty

我仍然遇到相同的错误。 sudo：无法打开审核系统：权限被拒绝

我在这里完全陷入困境。也就是说，除非我想以 root 身份运行 Apache 本身，否则这会比其他任何事情都更不方便。

有人可以在这里提出任何建议吗？我意识到我想做的事情很奇怪。我敢打赌你们中的一些人会向我指出一些用于远程配置 Fedora 机器的现有系统（现在我想到了它，我现在就去研究一下）。

顺便说一句，我正在运行 SELinux，因为这是 Fedora 15 默认配置的方式。

谢谢。

编辑：
我找到了这个教程：
http://www.cyberciti.biz/faq/howto -disable-httpd-selinux-security-protection/

不幸的是，当我运行“setsebool httpd_disable_trans 1”时，出现错误：
无法更改活动布尔值：无效布尔值

我也尝试直接编辑不存在的“/etc/selinux/targeted/booleans”，并重新启动apache，但这也不起作用。

原文

I have been spending half a day trying to figure this out, and I've done a lot of research. I'm also familiar with many of the existing discussions on this topic, such as this one:
How to run PHP exec() as root?

Unfortunately, none of the suggestions I've found seem to work for me.

First of all, I am writing something to a spec, so I can't really avoid doing this. Also, all machines will exist on a private network that is not connected to the internet. While it's important to have SOME security, it's mostly necessary to prevent mistakes. My objective is to configure some "thin servers". Via a PHP script, I need to be able to change the network config (static or DHCP) and restart networking.

The first thing I tried was to write a C program that is SUID root. It reads, modifies, and writes a network config file. If I run it as a regular user, it works just fine and can access and modify a file owned by root. But if I run it from a PHP script, I get access errors. It appears that Apache prevents SUID root somehow.

Based on suggestions from other discussions, I tried the "sudo" method. Temporarily, I added this to /etc/sudoers:
apache ALL=(ALL) NOPASSWD: ALL

The error I get is this:
sudo: unable to open audit system: Permission denied

According to this page in Russian, this is happening because systems like RHEL (I'm using Fedora) default to requiretty for sudoers. So I added this line to /etc/sudoers:
Defaults !requiretty

I still get the same error.
sudo: unable to open audit system: Permission denied

I'm completely stymied here. That is, unless I want to run Apache itself as root, something that would be more inconvenient than anything else.

Can anyone make any suggestions here? I realize what I'm trying to do is weird. And I bet some of you will point me to some existing system for remotely configuring Fedora machines (and now that I think of it, I'm going to go look into that right now).

BTW, I am running SELinux, because that is how Fedora 15 is configured by default.

Thanks.

EDIT:
I found this tutorial:
http://www.cyberciti.biz/faq/howto-disable-httpd-selinux-security-protection/

Unfortunately, when I run "setsebool httpd_disable_trans 1", I get the error:
Could not change active booleans: Invalid boolean

I also tried directly editing "/etc/selinux/targeted/booleans", which didn't exist, and restarting apache, but that didn't work either.

分享到QQ

分享到微博