Permissions required to launch Unix command remotely?

Experts,

I've recently had an EE question answered that allows me to execute Unix (debian) commands from a web interface.  http://www.experts-exchange.com/Programming/Languages/Scripting/Shell/Q_27516109.html

This is working great on commands that I create, when I do the following:

chmod 777 CommandName
chmod +x CommandName

Is it possible to extend this to inherent processes of Unix?  This is for testing purposes only, in a closed environemtn - for my own knowledge, so no worries on security here.

Basically, I'd like to run the command "killall" and another called "wrapper-linux" for a process that I've defined.  Currently, both those processes aren't able to be executed via the web page but both can be entered in the console directly and have no problems executing.

Which permissions would I need to do, in order to be able to get those commands "web accessable" if that makes sense?
LVL 5
usslindstromAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

xtermCommented:
Unix security is such that it is for a reason, so keep in mind there is a very good reason that from the web server there are a whole lot of things that you cannot do.

That being said, you may proceed at your own risk, and the following will allow you to do what you need:

1.  Find out which user that your web server is running as.   For apache its usually nobody, but could be apache.  Look for the directive "User xxx" in your httpd.conf (often in /etc/httpd/conf/httpd.conf)  
2.  Allow that user to run sudo commands without a password, so edit /etc/sudoers and put:
CmndAlias     MYCMDS=/path/to/killall,/path/to/wrapper-linux
UserAlias       WEBBOT=apache,nobody   # whichever is appropriate for your system
# User priviliges
WEBBOT        ALL=NOPASSWD:MYCMDS
3.  Now in your web code, simply run "sudo killall" or "sudo wrapper-linux".  You will NOT need to make them 777, just executable (755)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xtermCommented:
Since you're using lighttpd it appears, use the following command (look at the FIRST column of the output) to determine which user it's running as, and then substitute into my directions above instead of apache or nobody:
ps aux | grep lighttpd

Open in new window

0
usslindstromAuthor Commented:
Thank you for the information.  I've tried to implement it, but am getting an error.

I've attempted to edit "/etc/sudoers" as instructed by modifying it to the following (pasted in the code block below):

The console instructs me that I'm forced to use "visudo -f sudoers" to edit the file, instead of the standard "vi".  - Which isn't a problem, but when going to save everything, it's instructing me there's an error " >>> sudoers: syntax error near line 15 <<< "  Which is the "Cmd Alias" line.

Any ideas?  Sorry for my horrible understanding of Unix here.  I'm trying to dip into that side of the playing field now.
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification
CmndAlias	MYCMDS=/usr/bin/killall,/root/wrapper-linux
UserAlias	WEBBOT=www-data

# User privilege specification
root	ALL=(ALL) ALL
WEBBOT	ALL=NOPASSWD:MYCMDS

# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

Open in new window

0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

xtermCommented:
Yeah, sorry, should be Cmnd_Alias and User_Alias (I left out the underscores)
0
usslindstromAuthor Commented:
No worries.  You're helping me.  :)

- But please be patient with me.  I'm still having issues getting it to work.

I've completed your suggested changes, and have them pasted in the code block below.  Anything popping out to you on why it wouldn't be working?

With the correction on the underscore, I'm not given the error when editing the file anymore, and it allows me to save it.  I've restarted the server but still no go on executing the command located in "/var/www/scripts/powerdown.sh"

BTW - Thanks for helping me on this.
*** killall is located here:  /usr/bin/killall ***

*** wrapper-linux is located here:  /root/wrapper-linux ***

*** sudoers content:  /etc/sudoers ***


# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults	env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification
Cmnd_Alias	MYCMDS=/usr/bin/killall,/root/wrapper-linux,/var/www/scripts/powerdown.sh
User_Alias	WEBBOT=www-data

# User privilege specification
root	ALL=(ALL) ALL
WEBBOT	ALL=NOPASSWD:MYCMDS

# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL

#includedir /etc/sudoers.d

Open in new window

0
usslindstromAuthor Commented:
HOLY CRAP!

Nevermind!  I COMPLETELY left off the "sudo" command for the web page.

It works perfectly!  Thanks for the assitance!
0
usslindstromAuthor Commented:
Outstanding support from an outstanding EE member!

MUCH appreciated on the answer - and very detailed explinations!
0
xtermCommented:
You are most welcome :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Shell Scripting

From novice to tech pro — start learning today.