I have a script that executes several commands in a user's home directory. The files are owned by the user and Apache (the www-data group) only has read privileges to them. The script needs to be executed on demand by PHP via exec(), and performs some deletions / untarring of files, which fail since Apache doesn't have write permissions to the directories.
I've tried editing the sudoers file like this :
www-data ALL=(user) NOPASSWD: /bin/su user -c /home/user/bin/script.sh
but it prompts me for the user's password
I've also tried
www-data ALL=(root) NOPASSWD: /usr/bin/sudo su user -c /home/user/bin/script.sh
but that prompts for www-data's sudo password
How to I get this to work without a password ?
Answer
Finally got it working with this line :
www-data ALL=(ALL) NOPASSWD: /usr/bin/sudo -u user /home/user/bin/script.sh
Since I needed arguments to my script, I had to add a "shell-style wildcard" at the end of the line :
www-data ALL=(ALL) NOPASSWD: /usr/bin/sudo -u user /home/user/bin/script.sh [[\:alpha\:]]*
It's not exactly what I was looking for, but it works (ie. it happens that my arguments start with alphabetic characters, but in fact I would like the expression to match only alphanumeric characters, dashes and periods).
I'm not at all familiar with shell wildcards and POSIX character classes, the one I use is basically copy-pasted from the sudoers manual. Anyone who knows how these apply to this kind of problem, please leave your comments !
No comments:
Post a Comment