Let Apache Run Bash Script As Root

8 posts / 0 new
Last post
#1 Wed, 03/17/2010 - 17:00
mrwilder

Let Apache Run Bash Script As Root

Hi all, suppose I want to let apache run a script that will shut down the server.

In my attempt to pull this off, I've done the following:

added the following to sudoers: ALL ALL=NOPASSWD: /home/site/public_html/theScript.sh apache ALL=NOPASSWD: /sbin/shutdown now

chmod 4777 theScript.sh

created a php page that call the script

The script works and the php page calls it, but when it's called from a web site, it doesn't actually shut down the machine.

What did I forget?

Thanks anyone

Wed, 03/17/2010 - 17:42
ronald
ronald's picture

so you have a worldwritable script that can sudo without a password? And its active on a public accessible server?

that sounds great.
the website that calls the script is owned by ..., not apache? Per haps ... should execute the script and not apache?

Wed, 03/17/2010 - 17:47
mrwilder

I can change the writeable permissions by

chmod 4711 theScript.sh, right?

If I understand correctly you are saying I should change the sudoers file to reflect permissions for the site administrator?

Thu, 03/18/2010 - 12:54
ronald
ronald's picture

a worldritable script lets someone not trusted change such script.
the other thing, the script has sudo rights without a password.
That would be like giving the key to your house to someone unknown.
A matter of time before accidents happen.

I never heard of anyone wanting Apache to be able to shut the server down, but I dont get out much

Thu, 03/18/2010 - 16:16
mrwilder

Ummm... I understand to make the script NOT world writeable... Yes I am trying to make the script sudo with no pass, but it's not working.

I need to be able to shut down the server because it seems like the easiest way to interface with the UPS system already in place at the company I am contracting for. If I can have their daemon wget a web page, that seemed secure enough.

How would you do it? Based on $0 budget, of course.

Thu, 03/18/2010 - 17:33
ronald
ronald's picture

I have either remote access card in the server or have it on a APC for shutting down or rebooting. I never had to think about a php script. Webmin uses a script called shutdown.cgi per haps you can use this?

Thu, 03/18/2010 - 18:33
mrwilder

That shutdown.cgi script would be sweet, but how could I call it without being logged in to webmin? The machine that IS plugged into the master UPS is the only one who knows when it's time to die, and it needs to get a signal to the others, but there is no network signalling software such as that used by APC, (apcupsd?? IIRC).

And there's only ONE local port on the UPS to control a machine - and that's a USB.

SOOoooo, calling shutdown.cgi sounds great. Or my own. Any ideas?

Thu, 03/18/2010 - 19:18
ronald
ronald's picture

you can take that shutdown.cgi and copy it to the domain per haps or the code may give insight in to how to use it. I wouldn't know otherwise

Topic locked