Home > Archive > PERL Beginners > October 2006 > Can't get Sudo.pm to run my command but it works from a prompt
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Can't get Sudo.pm to run my command but it works from a prompt
|
|
| Richard Fernandez 2006-10-05, 6:58 pm |
| Hi folks,
I have the following in a CGI script:
<code>
my $replace =3D Sudo->new(
{
sudo =3D> $sudo,
debug =3D> 3,
username =3D> 'root',
program =3D> '/bin/cp',
#program_args =3D> '-f
/tmp/alias_maint/aliases.new /etc/mail/aliases',
program_args =3D> '-f
/tmp/alias_maint/aliases.new /etc/mail/aliases.richf',
}
);
my $replace_rc =3D $replace->sudo_run;
if (exists $replace_rc->{error}) {
warn "ERROR: ", $replace_rc->{error}, "\n";
}
if (exists $replace_rc->{stdout}) {
warn "STDOUT: ", $replace_rc->{stdout}, "\n";
}
if (exists $replace_rc->{stderr}) {
warn "STDERR: ", $replace_rc->{stderr}, "\n";
}
if (exists $replace_rc->{rc}) {
warn "RC: ", $replace_rc->{rc}, "\n";
}
..
..
..
</code>
When this code gets run (via webpage) I get the following in the
error_log:
<snip>
> output: =20
> result: 256
STDOUT:=20
STDERR:=20
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:
#1) Respect the privacy of others.
#2) Think before you type.
Password:
RC:=20
</snip>
In other words, it seems to be asking for a password. However when I run
this from a regular prompt as the webserver user, it works fine.
I have a check for the UID in the script, and it's the right one. I also
have NOPASSWD set in sudoers.
Any help is appreciated.
Thanks!
richf
| |
| Derek B. Smith 2006-10-05, 6:58 pm |
|
-- RICHARD FERNANDEZ <rfernandez@arrow.com> wrote:
> Hi folks,
>
> I have the following in a CGI script:
>
>
> When this code gets run (via webpage) I get the
> following in the
> error_log:
>
> <snip>
>
> STDOUT:
> STDERR:
> We trust you have received the usual lecture from
> the local System
> Administrator. It usually boils down to these two
> things:
>
> #1) Respect the privacy of others.
> #2) Think before you type.
>
> Password:
>
> RC:
> </snip>
>
> In other words, it seems to be asking for a
> password. However when I run
> this from a regular prompt as the webserver user, it
> works fine.
>
> I have a check for the UID in the script, and it's
> the right one. I also
> have NOPASSWD set in sudoers.
>
> Any help is appreciated.
> Thanks!
>
> richf
>
>
>
Did you edit the sudoers file using visudo -f "file"
Show us the sudoers file using cat -etu "file".
Has this user ever successfully logged in?
derek
________________________________________
__________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
| |
| Richard Fernandez 2006-10-05, 6:58 pm |
| > Did you edit the sudoers file using visudo -f "file"
Yes.
> Show us the sudoers file using cat -etu "file".
# cat -etu /usr/local/etc/sudoers > /tmp/sudoers.richf
# less /tmp/sudoers.richf
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
<snip>
# User privilege specification
root ALL=3DALL
webuser ALL =3D (ALL) NOPASSWD: ALL
> Has this user ever successfully logged in?
Yes, the user is set up w/o a login shell, but in the course of testing
I've given him login access. Doesn't make a difference.
>=20
> derek
>=20
Thanks derek.
| |
| Derek B. Smith 2006-10-05, 6:58 pm |
| --- RICHARD FERNANDEZ <rfernandez@arrow.com> wrote:
> "file"
>
> Yes.
>
>
> # cat -etu /usr/local/etc/sudoers >
> /tmp/sudoers.richf
> # less /tmp/sudoers.richf
> # sudoers file.
> #
> # This file MUST be edited with the 'visudo' command
> as root.
> <snip>
>
> # User privilege specification
> root ALL=ALL
> webuser ALL = (ALL) NOPASSWD: ALL
>
>
>
> Yes, the user is set up w/o a login shell, but in
> the course of testing
> I've given him login access. Doesn't make a
> difference.
>
>
> Thanks derek.
>
the cat -etu will show us any funky unneeded control
characters.
if the user has never signed in and the admin never
ran passwd user
passwd -f user and then that user never went into make
his/her password permenant then yes it would matter
b/c the passwd is not set.
Here is a working sample on me of my work production
systems:
ovuser OVSYS = (root) NOPASSWD: /opt/OV/bin/,
/opt/OV/bin/OpC/, /opt/OV/bi
n/OpC/install/, /opt/OV/bin/OpC/utils/,
/opt/OV/contrib/OpC/, /data/data00/sbin/, /
data/data00/sbin/pre-exec/,
/data/data00/sbin/post-exec/,
/sbin/init.d/smtp_message
_interceptor, /db/u01/app/oracle/product/9.2.0/bin/,
/opt/OV/support/, /var/opt/OV/
bin/instrumentation/, /usr/local/ovo8x,
/usr/local/sbin/init.d/,/opt/CSCOpx/bin/, sudoedit
/etc/opt/OV/share/conf/C/filters
________________________________________
__________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
| |
| Richard Fernandez 2006-10-05, 6:58 pm |
| > if the user has never signed in and the admin never ran=20
> passwd user passwd -f user and then that user never went into=20
> make his/her password permenant then yes it would matter b/c=20
> the passwd is not set.
>=20
I've gone in and set a passwd for the user. Then I actually logged in as
the user for grins.
Still no good. And, BTW, I'm restarting the webserver after every change
to the user to make sure the environment is what I think it is.
If a missing passwd was the issue, it should not have worked from the
command line either, or am I missing something?
| |
| Mumia W. 2006-10-05, 6:58 pm |
| On 10/05/2006 03:23 PM, RICHARD FERNANDEZ wrote:
>
>
> I've gone in and set a passwd for the user. Then I actually logged in as
> the user for grins.
> Still no good. And, BTW, I'm restarting the webserver after every change
> to the user to make sure the environment is what I think it is.
>
> If a missing passwd was the issue, it should not have worked from the
> command line either, or am I missing something?
>
Does the webserver have the proper permissions to invoke that sudo entry?
| |
| Richard Fernandez 2006-10-05, 6:58 pm |
| =20
From: Mumia W. [mailto:mumia.w.18.spam+nospam@earthlink.net]=20
> Does the webserver have the proper permissions to invoke that sudo
entry?
AFAIK, yes. I don't think it would be asking for a password if it
couldn't run the binary. It just doesn't seem to be pulling the right
entry (webuser) out of the sudoers file, even though it's running as
"webuser". I don't know what else I should be checking...
As a test, I temporarily replaced the call to Sudo.pm with a
system(/usr/local/bin/sudo...) and it failed the same way. Hmmm. Works
from the command line. Doesn't work from cgi-bin.
Looks like this may not, strictly speaking, be a Perl question any more,
but can anyone point me in the right direction?
I can definitely run things out of cgi-bin, otherwise I wouldn't have
gotten this far.
Thanks again!
richf=20
--
To unsubscribe, e-mail: beginners-unsubscribe@perl.org For additional
commands, e-mail: beginners-help@perl.org <http://learn.perl.org/>
<http://learn.perl.org/first-response>
| |
| Igor Sutton 2006-10-05, 6:58 pm |
| > Looks like this may not, strictly speaking, be a Perl question any
> more,
> but can anyone point me in the right direction?
> I can definitely run things out of cgi-bin, otherwise I wouldn't have
> gotten this far.
Most times, apache uses nobody or www user. Check if the user apache
uses is mentioned in sudoers file.
--
Igor Sutton
igor.sutton@gmail.com
| |
| Richard Fernandez 2006-10-05, 6:58 pm |
| =20
-----Original Message-----
From: Igor Sutton [mailto:igor.sutton@gmail.com]=20
Sent: Thursday, October 05, 2006 8:17 PM
To: RICHARD FERNANDEZ
Cc: Beginners List
Subject: Re: Can't get Sudo.pm to run my command but it works from a
prompt
> Looks like this may not, strictly speaking, be a Perl question any=20
> more, but can anyone point me in the right direction?
> I can definitely run things out of cgi-bin, otherwise I wouldn't have=20
> gotten this far.
[color=darkred]
uses is mentioned in sudoers file.
The user listed in httpd.conf is "webuser", the same user I have listed
in sudoers.
| |
| Mumia W. 2006-10-05, 9:57 pm |
| On 10/05/2006 07:10 PM, RICHARD FERNANDEZ wrote:
>
>
> From: Mumia W. [mailto:mumia.w.18.spam+nospam@earthlink.net]
>
> entry?
>
> AFAIK, yes. I don't think it would be asking for a password if it
> couldn't run the binary. It just doesn't seem to be pulling the right
> entry (webuser) out of the sudoers file, even though it's running as
> "webuser". I don't know what else I should be checking...
>
> As a test, I temporarily replaced the call to Sudo.pm with a
> system(/usr/local/bin/sudo...) and it failed the same way. Hmmm. Works
> from the command line. Doesn't work from cgi-bin.
>
> Looks like this may not, strictly speaking, be a Perl question any more,
> but can anyone point me in the right direction?
> I can definitely run things out of cgi-bin, otherwise I wouldn't have
> gotten this far.
>
> Thanks again!
> richf
>
Go into sudoers and replace the name of the binary with the name of a
script that echoes the real and effective user and group ids.
| |
| Richard Fernandez 2006-10-05, 9:57 pm |
| From: Mumia W. [mailto:mumia.w.18.spam+nospam@earthlink.net]=20
[color=darkred]
Thanks Mumia, and thanks to all who responded.
As it turns out, I was able to resolve the problem by replacing
'/bin/cp' with '/bin/mv'. Didn't think of it sooner, unfortunately. I'm
not sure why mv works and cp doesn't, especially since in my testing I
wasn't crossing filesystems. Everything I did was in /tmp.
Still, the problem has been resolved, yay!
Thanks again!!!
richf
--=20
To unsubscribe, e-mail: beginners-unsubscribe@perl.org
For additional commands, e-mail: beginners-help@perl.org
<http://learn.perl.org/> <http://learn.perl.org/first-response>
|
|
|
|
|