Permissions required to launch Unix command remotely?

Experts,

I've recently had an EE question answered that allows me to execute Unix (debian) commands from a web interface.  http://www.experts-exchange.com/Programming/Languages/Scripting/Shell/Q_27516109.html

This is working great on commands that I create, when I do the following:

chmod 777 CommandName
chmod +x CommandName

Is it possible to extend this to inherent processes of Unix?  This is for testing purposes only, in a closed environemtn - for my own knowledge, so no worries on security here.

Basically, I'd like to run the command "killall" and another called "wrapper-linux" for a process that I've defined.  Currently, both those processes aren't able to be executed via the web page but both can be entered in the console directly and have no problems executing.

Which permissions would I need to do, in order to be able to get those commands "web accessable" if that makes sense?
LVL 5
usslindstromAsked:
Who is Participating?
 
xtermCommented:
Unix security is such that it is for a reason, so keep in mind there is a very good reason that from the web server there are a whole lot of things that you cannot do.

That being said, you may proceed at your own risk, and the following will allow you to do what you need:

1.  Find out which user that your web server is running as.   For apache its usually nobody, but could be apache.  Look for the directive "User xxx" in your httpd.conf (often in /etc/httpd/conf/httpd.conf)  
2.  Allow that user to run sudo commands without a password, so edit /etc/sudoers and put:
CmndAlias     MYCMDS=/path/to/killall,/path/to/wrapper-linux
UserAlias       WEBBOT=apache,nobody   # whichever is appropriate for your system
# User priviliges
WEBBOT        ALL=NOPASSWD:MYCMDS
3.  Now in your web code, simply run "sudo killall" or "sudo wrapper-linux".  You will NOT need to make them 777, just executable (755)
0
 
xtermCommented:
Since you're using lighttpd it appears, use the following command (look at the FIRST column of the output) to determine which user it's running as, and then substitute into my directions above instead of apache or nobody:
ps aux | grep lighttpd

Open in new window

0
 
usslindstromAuthor Commented:
Thank you for the information.  I've tried to implement it, but am getting an error.

I've attempted to edit "/etc/sudoers" as instructed by modifying it to the following (pasted in the code block below):

The console instructs me that I'm forced to use "visudo -f sudoers" to edit the file, instead of the standard "vi".  - Which isn't a problem, but when going to save everything, it's instructing me there's an error " >>> sudoers: syntax error near line 15 <<< "  Which is the "Cmd Alias" line.

Any ideas?  Sorry for my horrible understanding of Unix here.  I'm trying to dip into that side of the playing field now.
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification
CmndAlias	MYCMDS=/usr/bin/killall,/root/wrapper-linux
UserAlias	WEBBOT=www-data

# User privilege specification
root	ALL=(ALL) ALL
WEBBOT	ALL=NOPASSWD:MYCMDS

# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

Open in new window

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
xtermCommented:
Yeah, sorry, should be Cmnd_Alias and User_Alias (I left out the underscores)
0
 
usslindstromAuthor Commented:
No worries.  You're helping me.  :)

- But please be patient with me.  I'm still having issues getting it to work.

I've completed your suggested changes, and have them pasted in the code block below.  Anything popping out to you on why it wouldn't be working?

With the correction on the underscore, I'm not given the error when editing the file anymore, and it allows me to save it.  I've restarted the server but still no go on executing the command located in "/var/www/scripts/powerdown.sh"

BTW - Thanks for helping me on this.
*** killall is located here:  /usr/bin/killall ***

*** wrapper-linux is located here:  /root/wrapper-linux ***

*** sudoers content:  /etc/sudoers ***


# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification
Cmnd_Alias	MYCMDS=/usr/bin/killall,/root/wrapper-linux,/var/www/scripts/powerdown.sh
User_Alias	WEBBOT=www-data

# User privilege specification
root	ALL=(ALL) ALL
WEBBOT	ALL=NOPASSWD:MYCMDS

# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL

#includedir /etc/sudoers.d

Open in new window

0
 
usslindstromAuthor Commented:
HOLY CRAP!

Nevermind!  I COMPLETELY left off the "sudo" command for the web page.

It works perfectly!  Thanks for the assitance!
0
 
usslindstromAuthor Commented:
Outstanding support from an outstanding EE member!

MUCH appreciated on the answer - and very detailed explinations!
0
 
xtermCommented:
You are most welcome :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.