问题描述
我已经花了半天的时间来解决这个问题,并且我已经做了很多研究.我也熟悉许多与此主题相关的讨论,例如:如何以root用户身份运行PHP exec()?
I have been spending half a day trying to figure this out, and I've done a lot of research. I'm also familiar with many of the existing discussions on this topic, such as this one:How to run PHP exec() as root?
不幸的是,我发现的所有建议似乎都不适合我.
Unfortunately, none of the suggestions I've found seem to work for me.
首先,我正在为规范编写内容,因此我无法避免这样做.此外,所有计算机都将存在于未连接到Internet的专用网络上.虽然拥有一些安全性很重要,但最重要的是要防止错误.我的目标是配置一些瘦服务器".通过PHP脚本,我需要能够更改网络配置(静态或DHCP)并重新启动网络.
First of all, I am writing something to a spec, so I can't really avoid doing this. Also, all machines will exist on a private network that is not connected to the internet. While it's important to have SOME security, it's mostly necessary to prevent mistakes. My objective is to configure some "thin servers". Via a PHP script, I need to be able to change the network config (static or DHCP) and restart networking.
我尝试做的第一件事是编写一个SUID根目录的C程序.它读取,修改和写入网络配置文件.如果我以普通用户身份运行它,它就可以正常工作,并且可以访问和修改root拥有的文件.但是,如果我从PHP脚本运行它,则会出现访问错误.看来Apache会以某种方式阻止SUID根.
The first thing I tried was to write a C program that is SUID root. It reads, modifies, and writes a network config file. If I run it as a regular user, it works just fine and can access and modify a file owned by root. But if I run it from a PHP script, I get access errors. It appears that Apache prevents SUID root somehow.
根据其他讨论的建议,我尝试了"sudo"方法.我暂时将其添加到/etc/sudoers中:apache ALL =(ALL)NOPASSWD:全部
Based on suggestions from other discussions, I tried the "sudo" method. Temporarily, I added this to /etc/sudoers: apache ALL=(ALL) NOPASSWD: ALL
我得到的错误是这样的:sudo:无法打开审核系统:权限被拒绝
The error I get is this:sudo: unable to open audit system: Permission denied
根据此俄语页面,发生这种情况是因为RHEL(我正在使用Fedora)之类的系统默认对sudoers是requiretty.所以我将这一行添加到/etc/sudoers中:默认值!requiretty
According to this page in Russian, this is happening because systems like RHEL (I'm using Fedora) default to requiretty for sudoers. So I added this line to /etc/sudoers:Defaults !requiretty
我仍然遇到相同的错误.sudo:无法打开审核系统:权限被拒绝
I still get the same error.sudo: unable to open audit system: Permission denied
我在这里完全受阻.也就是说,除非我想以根用户身份运行Apache本身,否则会比其他任何事情都更加不便.
I'm completely stymied here. That is, unless I want to run Apache itself as root, something that would be more inconvenient than anything else.
有人可以在这里提出任何建议吗?我意识到我要做的事很奇怪.我敢打赌,你们中的一些人会向我介绍一些用于远程配置Fedora机器的现有系统(现在,我想到了,现在就开始研究它).
Can anyone make any suggestions here? I realize what I'm trying to do is weird. And I bet some of you will point me to some existing system for remotely configuring Fedora machines (and now that I think of it, I'm going to go look into that right now).
顺便说一句,我正在运行SELinux,因为默认情况下这就是Fedora 15的配置方式.
BTW, I am running SELinux, because that is how Fedora 15 is configured by default.
谢谢.
我找到了本教程:
http://www.cyberciti.biz/faq/howto -disable-httpd-selinux-security-protection/
I found this tutorial:
http://www.cyberciti.biz/faq/howto-disable-httpd-selinux-security-protection/
不幸的是,当我运行"setsebool httpd_disable_trans 1"时,出现错误:
无法更改活动的布尔值:无效的布尔值
Unfortunately, when I run "setsebool httpd_disable_trans 1", I get the error:
Could not change active booleans: Invalid boolean
我还尝试直接编辑不存在的"/etc/selinux/targeted/booleans",然后重新启动apache,但这也不起作用.
I also tried directly editing "/etc/selinux/targeted/booleans", which didn't exist, and restarting apache, but that didn't work either.
推荐答案
您尝试setenforce 0(暂时禁用SELinux),audit2allow还是完全禁用SELinux?请参阅: PHP网页即使在更新的sudoers
Did you try setenforce 0 (disable SELinux temporarily), audit2allow, or fully disable SELinux? See: PHP webpage doesn't launch unix command even after updated sudoers
这篇关于从PHP/Apache,exec()或system()程序作为root用户:"sudo:无法打开审核系统:权限被拒绝";的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!