Koozali.org: home of the SME Server

sudo access to one command only

Offline groyk

  • *
  • 138
  • +0/-0
sudo access to one command only
« on: January 03, 2022, 02:44:35 PM »
I am trying to send WOL packet from website installed in an ibay.

But I am getting error below.

How do i alow execution of ether-wake from ibay?

www.myserver.com : Jan  3 13:56:39 : apache : user NOT in sudoers ; TTY=unknown ; PWD=/home/e-smith/files/ibays/my-Ibay/html ; USER=root ; COMMAND=ether-wake -i eth0 xx:xx:xx:xx:xx:xx

Offline mab974

  • *
  • 84
  • +1/-0
Re: sudo access to one command only
« Reply #1 on: January 03, 2022, 05:47:39 PM »
Is root access really needed ? wol (from epel) does not !

Offline groyk

  • *
  • 138
  • +0/-0
Re: sudo access to one command only
« Reply #2 on: January 03, 2022, 08:25:44 PM »
Is root access really needed ? wol (from epel) does not !

If i run command without sudo i get "command not found".

I will try wol instead. I think better not open sudo access to Apache.


Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sudo access to one command only
« Reply #3 on: January 03, 2022, 10:20:02 PM »
It is possible to run commands but disabled by default for safety.

Look at the webapps contrib for how to enable various functions eg phpinfo etc.

For ether-wake you need the ethtool rpm. You can then at least run in a shell.

Last I think the dhcpd manager contrib used to allow this from server-manager. Check the contribs section in the wiki.
That may pull in the right package for you.

https://wiki.koozali.org/Dhcpmanager
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline groyk

  • *
  • 138
  • +0/-0
Re: sudo access to one command only
« Reply #4 on: January 04, 2022, 07:02:22 AM »
It is possible to run commands but disabled by default for safety.

Look at the webapps contrib for how to enable various functions eg phpinfo etc.

For ether-wake you need the ethtool rpm. You can then at least run in a shell.

Last I think the dhcpd manager contrib used to allow this from server-manager. Check the contribs section in the wiki.
That may pull in the right package for you.

https://wiki.koozali.org/Dhcpmanager

I have used the dhcp manager. But i need users to start local machines.

I tried the wol rpm from Epel, and it worked without root access. :-)

Thank you both for your help. I  was asking because i did not want to grant root access if possible.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sudo access to one command only
« Reply #5 on: January 04, 2022, 10:09:39 AM »
Use the user panel contrib and only give them access to the dhcpd panel......

Think that should work.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sudo access to one command only
« Reply #6 on: January 04, 2022, 10:11:36 AM »
I was asking because i did not want to grant root access if possible.

Just thought about this.

You absolutely should NOT do this for users. Under no circumstances.

See my comment above, or find a different method, but do not give them root access your server (you are using ssh keys and not passwords???????)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline groyk

  • *
  • 138
  • +0/-0
Re: sudo access to one command only
« Reply #7 on: January 04, 2022, 10:47:02 AM »
Just thought about this.

You absolutely should NOT do this for users. Under no circumstances.

See my comment above, or find a different method, but do not give them root access your server (you are using ssh keys and not passwords???????)

I use password, but only accessible in local network. I believe that it OK.

I did get the wakeup working by using the epel wol.rpm - No root access needed.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sudo access to one command only
« Reply #8 on: January 04, 2022, 12:02:26 PM »
I use password, but only accessible in local network. I believe that it OK.

Better to get in the habit of keys. MUCH more secure. Just do it.

Quote
I did get the wakeup working by using the epel wol.rpm - No root access needed.

Cool!!

Please explain what you did here for others.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline groyk

  • *
  • 138
  • +0/-0
Solution WakeOnLan from PHP
« Reply #9 on: January 04, 2022, 12:49:40 PM »
Howto make WakeOnLan from PHP

1. alow shell_exec in ibay (ex. use https://wiki.koozali.org/Webhosting)
2. Install EPEL repository (https://wiki.koozali.org/Epel#tab=For_SME_10_x)
3. install wol.rpm (yum install wol.rpm --enablerepo=epel)

Now you can call following from your php site

Code: [Select]
shell_exec('wol xx:xx:xx:xx:xx');

Thanks to mab974 regarding the tink to wol.rpm

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: sudo access to one command only
« Reply #10 on: January 04, 2022, 03:32:06 PM »
use full path for the command.
you just do not want to assume PATH is set right for the php user. 

the please use correctly phpbasedir to limit the ibay php user to the ibay + the command you need and nothing else. 
shell_exec is powerfull way to escalate privilege

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: sudo access to one command only
« Reply #11 on: January 04, 2022, 04:21:29 PM »
Quote
shell_exec is powerfull way to escalate privilege

A little bit of knowledge is a very dangerous thing....
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation