is possible the line "apache ALL=(root) NOPASSWD:ALL" into [/etc/sudoers.d/file.test] ?

Colombia · 04-18-2022, 08:35 PM

Quote:

Originally Posted by TB0ne

...

Code:

apache !requiretty ALL=(root) NOPASSWD: /sbin/reboot

thanks, now I learn the TTY is possible omit with

Code:

## Allow root to run any commands anywhere 
root	ALL=(ALL) 	ALL
pp	ALL=(ALL)	NOPASSWD:ALL
apache	ALL=(ALL)	NOPASSWD:ALL
Defaults:apache !requiretty
php	ALL=(ALL)	NOPASSWD:ALL

however https://web/reboot.php yet can´t restart server

Colombia · 04-18-2022, 08:40 PM

Quote:

Originally Posted by michaelk

... You can add a line for each command or multiple commands separated by a comma

Code:

apache ALL=(root) NOPASSWD: /sbin/reboot, /other/command

thanks, is POSSIBLE use the line

Code:

apache	ALL=(ALL)	NOPASSWD:ALL

?

... by now is fine for me, my priority is restart from Browser.

michaelk · 04-18-2022, 09:03 PM

I know its no help to you but I can reboot from the browser as posted previously on my CentOS 7 VM. Also as posted there must be some configuration differences (not related to php, mysql etc)

Code:

 https://web/reboot.php

Have changed scripts? Is it different from the file.php posted previously? If so post the contents minus the php tags.

Colombia · 04-18-2022, 09:08 PM

Quote:

Originally Posted by michaelk

... Have changed scripts?

the same code master:

PHP Code:



$c = 'whoami';
$c = 'sudo /sbin/reboot';
$c = 'sudo reboot';
$c = '/bin/sudo /sbin/reboot';
$Q = exec($c, $r, $e);
var_export($e);

forever return 1

And of course, same machine:

Code:

[root@localhost ~]# lscpu
Architecture:          armv7l
Byte Order:            Little Endian
CPU(s):                4
On-line CPU(s) list:   0-3
Thread(s) per core:    1
Core(s) per socket:    4
Socket(s):             1
Model:                 4
Model name:            ARMv7 Processor rev 4 (v7l)
CPU max MHz:           1400.0000
CPU min MHz:           600.0000
BogoMIPS:              38.40
Flags:                 half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32

[root@localhost ~]# more /etc/redhat-release
CentOS Linux release 7.9.2009 (AltArch)

[root@localhost ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Mar 24 2022 14:58:21

[root@localhost ~]# php -v
PHP 5.4.16 (cli) (built: Apr  1 2020 06:27:24)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
[root@localhost ~]#

michaelk · 04-18-2022, 09:22 PM

Does the http error log show the same message?

Colombia · 04-18-2022, 09:43 PM

Quote:

Originally Posted by michaelk

Does the http error log show the same message?

is empty, now no more LOGS

pan64 · 04-19-2022, 12:38 AM

Quote:

Originally Posted by Colombia

is empty, now no more LOGS

That is impossible. There are at least three cases:
1. it works, but you could recognize it easily, because reboot will be executed
2. syntactically incorrect command, cannot be executed, in that case after the exec you can check it
3. the command itself is syntactically correct, but for example the sudoers file is corrupt. In that case sudo will print an error message somewhere, but probably it is lost.

I would try to execute a simple shell script instead of reboot, and check if that works. Next I will try to add some logging to that shell script and finally execute sudo reboot inside - and you can check the log and act accordingly.

Colombia · 04-19-2022, 07:59 AM

Quote:

Originally Posted by pan64

That is impossible.

thanks.

sorry by my impresition, "empty" means "not NEW INFO", breally this is my current /var/log/httpd:

Code:

[root@localhost ~]# ls -l /var/log/httpd/
total 8
-rw-r--r-- 1 root root   0 Dec 31  1969 access_log
-rw-r--r-- 1 root root 533 Apr 19 07:42 error_log
-rw-r--r-- 1 root root   0 Dec 31  1969 ssl_access_log
-rw-r--r-- 1 root root 348 Dec 31  1969 ssl_error_log
-rw-r--r-- 1 root root   0 Dec 31  1969 ssl_request_log
[root@localhost ~]#

and here the /var/log/httpd/error_log:

Code:

[Wed Dec 31 19:00:52.647408 1969] [suexec:notice] [pid 568] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Dec 31 19:00:53.019970 1969] [lbmethod_heartbeat:notice] [pid 568] AH02282: No slotmem from mod_heartmonitor
[Tue Apr 19 07:42:56.552389 2022] [mpm_prefork:notice] [pid 568] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 configured -- resuming normal operations
[Tue Apr 19 07:42:56.552928 2022] [core:notice] [pid 568] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

and ths is my /var/log/httpd/ssl_error_log:

Code:

[Wed Dec 31 19:00:52.660729 1969] [ssl:warn] [pid 568] AH01909: RSA certificate configured for localhost.localdomain:443 does NOT include an ID which matches the server name
[Wed Dec 31 19:00:53.025773 1969] [ssl:warn] [pid 568] AH01909: RSA certificate configured for localhost.localdomain:443 does NOT include an ID which matches the server name

when of I open https://192.168.20.67/rb/rbs_2.php the outpu is:

Code:

int(1)
array(0) {
}
string(0) ""

code PHP:

Code:

	$e = $r = $Q = FALSE;
	$Q = exec('sudo reboot', $r, $e);
	var_dump($e);
	var_dump($r);
	var_dump($Q);

then after of open https://192.168.20.67/rb/rbs_2.php this is the /var/log/httpd/ssl_access_log:

Code:

192.168.20.36 - - [19/Apr/2022:07:51:41 -0500] "GET /rb/rbs_2.php HTTP/1.1" 200 33

and this is the /var/log/httpd/ssl_error_log updated:

Code:

[Wed Dec 31 19:00:52.660729 1969] [ssl:warn] [pid 568] AH01909: RSA certificate configured for localhost.localdomain:443 does NOT include an ID which matches the server name
[Wed Dec 31 19:00:53.025773 1969] [ssl:warn] [pid 568] AH01909: RSA certificate configured for localhost.localdomain:443 does NOT include an ID which matches the server name
[Tue Apr 19 07:51:42.063155 2022] [cgi:error] [pid 643] [client 192.168.20.36:49632] AH01215: , referer: https://192.168.20.67/rb/
[Tue Apr 19 07:51:42.063618 2022] [cgi:error] [pid 643] [client 192.168.20.36:49632] AH01215: We trust you have received the usual lecture from the local System, referer: https://192.168.20.67/rb/
[Tue Apr 19 07:51:42.063828 2022] [cgi:error] [pid 643] [client 192.168.20.36:49632] AH01215: Administrator. It usually boils down to these three things:, referer: https://192.168.20.67/rb/
[Tue Apr 19 07:51:42.063866 2022] [cgi:error] [pid 643] [client 192.168.20.36:49632] AH01215: , referer: https://192.168.20.67/rb/
[Tue Apr 19 07:51:42.064042 2022] [cgi:error] [pid 643] [client 192.168.20.36:49632] AH01215:     #1) Respect the privacy of others., referer: https://192.168.20.67/rb/
[Tue Apr 19 07:51:42.064198 2022] [cgi:error] [pid 643] [client 192.168.20.36:49632] AH01215:     #2) Think before you type., referer: https://192.168.20.67/rb/
[Tue Apr 19 07:51:42.064382 2022] [cgi:error] [pid 643] [client 192.168.20.36:49632] AH01215:     #3) With great power comes great responsibility., referer: https://192.168.20.67/rb/
[Tue Apr 19 07:51:42.064423 2022] [cgi:error] [pid 643] [client 192.168.20.36:49632] AH01215: , referer: https://192.168.20.67/rb/
[Tue Apr 19 07:51:42.064612 2022] [cgi:error] [pid 643] [client 192.168.20.36:49632] AH01215: sudo: no tty present and no askpass program specified, referer: https://192.168.20.67/rb/

TB0ne · 04-19-2022, 08:15 AM

Quote:

Originally Posted by Colombia

I need OTHERS commands for same user...

Why do you need 'others commands' for that user?? Again, why are you ignoring the advice you've been given about this being a VERY BAD IDEA???? And why do you ignore SNMP as being an option???

And if it has to be web-based (for some reason that you haven't told us), why don't you just use webmin???

pan64 · 04-19-2022, 09:21 AM

so you have still that the no tty present error
That means sudoers is not configured properly (either permission problem or syntax error or just a typo somewhere).
You can simply try if sudo works from command line for that apache users without web server and browser.
also you need to use sudo -n if no tty present. Probably need to check if askpass is configured somewhere/somehow.

Colombia · 04-19-2022, 01:04 PM

Quote:

Originally Posted by pan64

... You can simply try if sudo works from command line for that apache users...

thanks,

I get this:

Code:

[root@localhost ~]# su apache
This account is currently not available.
[root@localhost ~]#

Quote:

Originally Posted by pan64

Probably need to check if askpass is configured somewhere/somehow.

is askpass a programm?

Quote:

[root@localhost ~]# askpass
-bash: askpass: command not found
[root@localhost ~]#

pan64 · 04-19-2022, 01:13 PM

su and sudo are two different programs. su apache is definitely wrong. Also testing sudo as root is insufficient.
you need to read man sudo about askpass.

michaelk · 04-19-2022, 01:35 PM

The web server user, apache in this case is set to nologin so using su or sudo is not possible and why the OP sees the "This account is currently not available." error.

Despite this and as posted I have been able to configure a CentOS 7 VM so it reboots as the OP desires. I'm with pan64 and that something must not be configured correctly or the same as a regular x86_64 system.

TB0ne · 04-19-2022, 02:04 PM

Quote:

Originally Posted by Colombia

thanks,
I get this:

Code:

[root@localhost ~]# su apache
This account is currently not available.

Sorry, but why are you ignoring things??? Again:

SNMP can be used to remotely reboot a system. Why can't you use that??
Webmin can be used to reboot a system over a web interface. Why can't you use that??
You are NOT paying attention on how to configure sudo.
SU and SUDO are two different commands...why would you expect them to be the same??
You're logged in as root...what is the point of running su??

If you're not going to listen to advice, there isn't much point in posting. This thread is four pages long now, and it doesn't seem like you've even gotten past the basics. What is your actual goal, here??? Is there another person with experience that could do this?

Quote:

Code:

[root@localhost ~]#

is askpass a programm?

Did you actually try to look it up??? Do ANYTHING as far as research on your own???

Colombia · 04-19-2022, 02:08 PM

Quote:

Originally Posted by pan64

... you need to read man sudo about askpass.

thanks.

Then how I can restart server fron https://web/reboot.php ?

I have LAMP:
CentOs 7 + Apache/2.4.6 (CentOS) + 5.5.68-MariaDB - MariaDB Server + PHP 5

and only need restart server from https://web/reboot.php

how I can ?