主页 / server / 问题 / 417806
Accepted
mbrownnyc
Asked: 2012-08-16 06:35:54 +0800 CST

即使使用 NOPASSWD,在使用 sudo 调用的脚本中调用 sudo 也会提示输入密码

  • 772

我正在使用的 PHP 程序 ( LConf ) 使用sudo.

我已允许用户apache运行脚本并使用sudo -u apache /usr/local/LConf/lconf_deploy.sh.

lconf_deploy.sh调用时系统提示我输入密码/usr/bin/sudo -u icinga /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v,但在此行之前或之后调用行都没有问题。

在阅读了很多(在 stackexchange 和互联网上的其他地方)关于在这种情况下该怎么做之后,我已经禁用requiretty并使用NOPASSWD了我能想到的影响这种情况的一切。

# cat /etc/sudoers | grep -v "#"
Defaults    always_set_home
Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root    ALL=(ALL)       ALL
apache ALL = NOPASSWD: /usr/local/LConf/lconf_deploy.sh
apache ALL = NOPASSWD: /usr/bin/sudo -u icinga /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v
apache ALL = NOPASSWD: /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v
icinga ALL = NOPASSWD: /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v

sudo是否可以在已经“ ”的情况下使用切换用户上下文(或诸如此类)sudoing

如果没有,我该如何解决这个问题?注意/usr/local/LConf/LConfExport.pl必须以用户身份运行icinga

谢谢,

马特

[参考下面 mdpc 的评论更新]

   User_Alias      LCONF=apache,icinga
   Defaults:LCONF !requiretty
   LCONF ALL=(icinga) NOPASSWD: /usr/local/LConf/LconfExport.pl -o /etc/icinga/lconf -v
   LCONF ALL= NOPASSWD: /usr/local/LConf/lconf_deploy.sh

执行sudo -u apache /usr/local/LConf/lconf_deploy.sh.仍然提示输入密码

   # cat  /usr/local/LConf/lconf_deploy.sh
   echo start of script
   /usr/bin/sudo -u icinga /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v
   /etc/init.d/icinga reload
   # sudo -u apache /usr/local/LConf/lconf_deploy.sh
   start of script
   [sudo] password for apache:
   Running configuration check.../etc/init.d/icinga: line 111: /var/icinga/icinga.chk:      Permission denied
   CONFIG ERROR! Reload aborted. See /var/icinga/icinga.chk for details.

任何帮助表示赞赏。

php

3 个回答

  1. 这一行:

     apache ALL = NOPASSWD: /usr/bin/sudo -u icinga /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v

    不管用。它会调用 sudo 作为 apache,这是不对的。

    你可能想要的是:

      apache ALL=(icinga) NOPASSWD: /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v
    • 5

  2. 类型

    su - apache

    然后

    /usr/local/LConf/lconf_deploy.sh

    如果第一个命令不起作用,请输入:

    su - apache -s /bin/bash
    • 1
  3. Best Answer
       == mbrownnyc [266b4002@gateway] has joined ##linux
   -ChanServ- [##linux] Welcome to ##Linux! Can't speak? Please see http://linuxassist.net/irc on how to register or identify your nick. By joining this channel you agree to abide by the channel rules and guidelines stated on the official ##Linux website http://www.linuxassist.net/rules .
   <loomsen> there are different ways to solve this, but all of them are ugly and        discouraged
   <loomsen> mbrownnyc, you could add apache to the icinga group, make that script ug+x and set a sticky bit
   <nb-ben> mbrownnyc, you should take a look at suEXEC for php

   <koala_man> mbrownnyc: works fine: http://pastebin.com/JhefHzCh
   <koala_man> mbrownnyc: I still think you're just confusing your users
   <koala_man> mbrownnyc: you add permissions for apache to run lconf_deploy as        root, and then test using your icinga user
   <koala_man> to run it as apache

    解决方案:

       # cat /etc/passwd | grep icinga
   icinga:x:499:500:icinga:/var/icinga:/bin/false
   # cat /etc/passwd | grep apache
   apache:x:48:48:Apache:/var/www:/bin/false

   # grep -v "#" /etc/sudoers
   Defaults    !requiretty
   Defaults   !visiblepw
   Defaults    always_set_home
   Defaults    env_reset
   Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
   Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
   Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
   Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
   Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
   Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
   root    ALL=(ALL)       ALL

   User_Alias      LCONF=apache,icinga
   Defaults:LCONF !requiretty

   LCONF ALL=(apache) NOPASSWD: /usr/local/LConf/lconf_deploy.sh
   LCONF ALL=(icinga) NOPASSWD: /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v

   # cat /usr/local/LConf/lconf_deploy.sh
   #!/bin/bash
   echo start of script
   sudo -u icinga /usr/local/LConf/LConfExport.pl -o /etc/icinga/lconf -v
   /etc/init.d/icinga reload
    • 0

相关问题