即使更新了sudoers,PHP网页也不会启动Unix命令 [英] PHP webpage doesn't launch unix command even after updated sudoers
问题描述
基本上,我正在尝试从php网页重新启动服务.
Basically I am trying to restart a service from a php web page.
这是代码:
<?php
exec ('/usr/bin/sudo /etc/init.d/portmap restart');
?>
但是,在/var/log/httpd/error_log中,我得到了
无法更改为sudoers gid:不允许操作
unable to change to sudoers gid: Operation not permitted
在/var/log/messages中,我得到了
and in /var/log/messages, I get
9月22日15:01:56 ri内核:audit(1222063316.536:777):avc:对于pid = 4851拒绝了{getattr} comm ="sh" name ="var" dev = dm-0 ino = 114241 scontext = root:system_r:httpd_sys_script_t tcontext = system_u:object_r:var_t tclass = dir
Sep 22 15:01:56 ri内核:audit(1222063316.549:778):avc:拒绝{setrlimit} for pid = 4851 comm ="sudo" scontext = root:system_r:httpd_sys_script_t tcontext = root:system_r:httpd_sys_script_t tclass = process
9月22日15:01:56 ri内核:audit(1222063316.565:779):avc:拒绝{读取} pid = 4851 comm ="sudo" name ="shadow" dev = dm-0 ino = 379669 scontext = root:system_r :httpd_sys_script_t tcontext = system_u:object_r:shadow_t tclass = file
9月22日15:01:56 ri内核:audit(1222063316.568:780):avc:拒绝{读取} pid = 4851 comm ="sudo" name ="shadow" dev = dm-0 ino = 379669 scontext = root:system_r :httpd_sys_script_t tcontext = system_u:object_r:shadow_t tclass = file
9月22日15:01:56 ri内核:audit(1222063316.571:781):avc:拒绝{setgid}的pid = 4851 comm ="sudo"功能= 6 scontext = root:system_r:httpd_sys_script_t tcontext = root:system_r:httpd_sys_script_t tclass =功能
9月22日15:01:56 ri内核:audit(1222063316.574:782):avc:拒绝了{setuid} for pid = 4851 comm ="sudo"功能= 7 scontext = root:system_r:httpd_sys_script_t tcontext = root:system_r:httpd_sys_script_t tclass =功能
9月22日15:01:56 ri内核:audit(1222063316.577:783):avc:拒绝{setgid}的pid = 4851 comm ="sudo"功能= 6 scontext = root:system_r:httpd_sys_script_t tcontext = root:system_r:httpd_sys_script_t tclass =功能
Sep 22 15:01:56 ri kernel: audit(1222063316.536:777): avc: denied { getattr } for pid=4851 comm="sh" name="var" dev=dm-0 ino=114241 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_t tclass=dir
Sep 22 15:01:56 ri kernel: audit(1222063316.549:778): avc: denied { setrlimit } for pid=4851 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=process
Sep 22 15:01:56 ri kernel: audit(1222063316.565:779): avc: denied { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
Sep 22 15:01:56 ri kernel: audit(1222063316.568:780): avc: denied { read } for pid=4851 comm="sudo" name="shadow" dev=dm-0 ino=379669 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
Sep 22 15:01:56 ri kernel: audit(1222063316.571:781): avc: denied { setgid } for pid=4851 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 22 15:01:56 ri kernel: audit(1222063316.574:782): avc: denied { setuid } for pid=4851 comm="sudo" capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
Sep 22 15:01:56 ri kernel: audit(1222063316.577:783): avc: denied { setgid } for pid=4851 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
在visudo中,我添加了这些行
In my visudo, I added those lines
User_Alias WWW = apache
User_Alias WWW=apache
WWW ALL =(ALL)NOPASSWD:ALL
WWW ALL=(ALL) NOPASSWD:ALL
你能帮我吗?我做错什么了吗?
Can you please help me ? Am I doing something wrong ?
感谢您的帮助,
tiBoun
推荐答案
当前问题不在于sudo,而在于 SELinux ,它(合理地)设置为拒绝HTTPD获得root特权.
您将需要明确允许这样做(您可以为此使用 audit2allow ),或将SELinux设置为取而代之.我建议前者.
The problem is not with sudo at the moment, but with SELinux, which is (reasonably) set to deny the HTTPD from gaining root privileges.
You will need to either explicitly allow this (you can use audit2allow for this), or set SELinux to be permissive instead. I'd suggest the former.
这篇关于即使更新了sudoers,PHP网页也不会启动Unix命令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
