• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1814
  • Last Modified:

Allow PHP to restart SQUID

Hi all,

I have a SQUID installation on an OpenSuSe 10 server.
I have written a management webapp thru Apache and PHP to perform various tasks that I need done in relation to squid.

The problem I am having is I am unable to perform the following tasks using PHP's exec function:

/etc/init.d/squid stop
/etc/init.d/squid start
/etc/init.d/squid restart
/etc/init.d/squid status
/etc/init.d/squid force-reload
(I have also tried the alternates using 'rcsquid' insted of /etc/init.d/squid)

I have attempted the following things:
Added wwwrun to the Sudoers file and configured it for use without password, then attempted the above commands with the sudo prefix
Made root the primary group of wwwrun to see if that made a difference
Added the commands i wish to run to a bash file and tried executing the bash file insted.

None of the above worked.

My PHP code isn't returning any errors, and the optional output variable of exec in php is returning an empty array.

I am out of ideas and slowly going insane with every google search i do... can anyone help?

Thanks,

Xavier.
0
locdang
Asked:
locdang
  • 8
  • 6
1 Solution
 
Maciej SsysadminCommented:
Do you still have your /etc/sudoers file with wwwrun user added? If so, can  you paste it here (or just appropriate line). I assume, that you are sure, that apache is run by wwwrun user?
0
 
locdangAuthor Commented:
Im fairly sure that it it wwwrun that apache runs as, it suggests this in the passw file.

here are the 2 files.
SUDOERS FILE
 
Defaults always_set_home
Defaults env_reset
 
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
 
Defaults targetpw   # ask for the password of the target user i.e. root
ALL     ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
 
 
root    ALL=(ALL) ALL
wwwrun ALL = (ALL) NOPASSWD: /etc/init.d/squid status
wwwrun ALL = (ALL) NOPASSWD: /etc/init.d/squid start
wwwrun ALL = (ALL) NOPASSWD: /etc/init.d/squid stop
wwwrun ALL = (ALL) NOPASSWD: /etc/init.d/squid restart
wwwrun ALL = (ALL) NOPASSWD: /etc/init.d/squid force-reload
 
 
 
 
USERS ON THE SYSTEM
 
avahi:x:105:106:User for Avahi:/var/run/avahi-daemon:/bin/false
beagleindex:x:109:113:User for Beagle indexing:/var/cache/beagle:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
festival:x:104:105:Festival daemon:/usr/share/festival/:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
gdm:x:108:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
haldaemon:x:103:104:User for haldaemon:/var/run/hal:/bin/false
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
mysql:x:60:114:MySQL database admin:/var/lib/mysql:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
ntp:x:74:107:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:102:103:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
pulse:x:106:108:PulseAudio daemon:/var/lib/pulseaudio:/sbin/nologin
root:x:0:0:root:/root:/bin/bash
squid:x:31:65534:WWW-proxy squid:/var/cache/squid:/bin/false
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:107:111:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
uuidd:x:101:102:User for uuidd:/var/run/uuidd:/bin/false
wwwrun:x:30:0:WWW daemon apache:/var/lib/wwwrun:/bin/bash
epicentre:x:1000:100:Epicentre:/home/epicentre:/bin/bash

Open in new window

0
 
Maciej SsysadminCommented:
Remove (or comment out) line 9 of your snippet.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
locdangAuthor Commented:
I have commented that out but still no luck
0
 
Maciej SsysadminCommented:
Also, it should be sufficient to specify:
wwwrun ALL = (ALL) NOPASSWD: /etc/init.d/squid
0
 
Maciej SsysadminCommented:
Ok, that's strange now :)
Can you check your /var/log/messages logfile?
0
 
locdangAuthor Commented:
I have made the change to sudoers as you suggested, dunno how i missed that piece of logic :) (wwwrun ALL = (ALL) NOPASSWD: /etc/init.d/squid)


/var/log/messages
 
Feb 23 12:09:42 EPICSQUID checkproc: checkproc: Can not read /proc/2951/exe: Permission denied

Open in new window

0
 
Maciej SsysadminCommented:
I was hoping to see some sudo related entries in this logfile. Maybe you have them in /var/log/secure /var/log/auth or some other file? Can you check this and paste proper lines here?
How are you checking this sudo commands? With your php script? If so, can you try to check it with commandline? (login as root, switch to wwwrun with "su - wwwrun" command, then - as wwwrun user - try to restart squid with sudo: "sudo /etc/init.d/squid restart"). Did sudo asked you for password or not?
0
 
locdangAuthor Commented:
Sudo is not asking for passwords.

It also seems to be working if i bash the commands myself after entering a shell for wwwrun

but when I exec in php it doesn't error but doesn't do it either.... maybe the issue is php now?
<?php
exec("/etc/init.d/squid start ",$output) or die("Could not restart Squid!");
die('Squid Restarted'."<br>".$output);
?>

Open in new window

0
 
locdangAuthor Commented:
can't find a /var/log/auth or anything likely to be the same thing around it.... doing a google to find its location in opensuse.
0
 
locdangAuthor Commented:
scratch that, no filtering is setup on so their all going to messages, guess i'll be fixing that! :D
0
 
Maciej SsysadminCommented:
Replace
exec("/etc/init.d/squid start ",$output)
with
exec("/path/to/sudo /etc/init.d/squid start ",$output)
0
 
locdangAuthor Commented:
lol that fixed it. I did have sudo in front before, i must have taken it out for some reason.... o.0

Thanks heaps, im totally estatic that it is finally resolved.

Xavier.
0
 
locdangAuthor Commented:
Fast replys and great advice. Thanks so much!

Xavier.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now