NYCPHP Meetup

NYPHP.org

[nycphp-talk] SSH2_CONNECT

Leam Hall leam at reuel.net
Fri Jul 31 20:35:00 EDT 2009



http://forums.fedoraforum.org/showthread.php?t=159677

[root at leam ~]# grep -i tty /etc/sudoers
Defaults    requiretty

That might help.  :)

Leam

Michele Waldman wrote:
> Thank you.
> 
> sudo: sorry, you must have a tty to run sudo
> 
> I don't know how to resolve this.
> 
> Michele
> 
>> -----Original Message-----
>> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
>> On Behalf Of Leam Hall
>> Sent: Friday, July 31, 2009 8:22 PM
>> To: NYPHP Talk
>> Subject: Re: [nycphp-talk] SSH2_CONNECT
>>
>> Drat! That's my favorite reading.  :)
>>
>> Couple more ideas, based on an OS perspective. If it's a PHPism, I'm not
>> so good...
>>
>> If the copy_sites program is a script and not a binary, edit it early on
>> to create a temporary file. For example, put in a like "echo guido >
>> /tmp/woo-hoo". See if it writes it. If so, then it's choking on the
>> script. If not, then it's not getting to the script.
>>
>> Also, have it echo $id to a temp file to make sure the variable
>> substitution is happening correctly.
>>
>> Hope that helps.
>>
>> Leam
>>
>> Michele Waldman wrote:
>>> I didn't see anything in /var/log/messages.
>>>
>>> Michele
>>>
>>>> -----Original Message-----
>>>> From: talk-bounces at lists.nyphp.org [mailto:talk-
>> bounces at lists.nyphp.org]
>>>> On Behalf Of Leam Hall
>>>> Sent: Friday, July 31, 2009 7:58 PM
>>>> To: NYPHP Talk
>>>> Subject: Re: [nycphp-talk] SSH2_CONNECT
>>>>
>>>> Hey Michele.
>>>>
>>>> Can you edit /etc/sudoers? You might be able to give it the NOPASSWD
>>>> option, to at least shorten it a bit.
>>>>
>>>> Can you read /var/log/messages and the web server log to see if they
>> say
>>>> anything?
>>>>
>>>> Leam
>>>>
>>>> Michele Waldman wrote:
>>>>> So I rewrote the code in bash due to my client's concern about
>>>> bandwidth.
>>>>> Here's my new problem:
>>>>> $msg = exec("echo $password | sudo /home/user/site_util/copy_sites $id
>>>> 2>
>>>>> /dev/null");
>>>>>
>>>>> The script isn't running.
>>>>>
>>>>> Since it's running from http, I modified the user nobody to have
>>>> /bin/bash
>>>>> in /etc/passwd and gave the user a password.
>>>>>
>>>>> I can login to the server as nobody and run this code on the command
>>>> line.
>>>>> Works fine.
>>>>>
>>>>> Does anyone know why this execute isn't working in php?
>>>>>
>>>>> Michele
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: talk-bounces at lists.nyphp.org [mailto:talk-
>>>> bounces at lists.nyphp.org]
>>>>>> On Behalf Of Kenneth Dombrowski
>>>>>> Sent: Friday, July 31, 2009 7:33 AM
>>>>>> To: NYPHP Talk
>>>>>> Subject: Re: [nycphp-talk] SSH2_CONNECT
>>>>>>
>>>>>> On 09-07-30 17:05 -0400, Ajai Khattri wrote:
>>>>>>> Most probably your PHP script will be running under the same
>> username
>>>> as
>>>>>>> Apache (i.e. www or nobody) so sudo wouldn't work anyway. (And you
>>>>>>> wouldn't want to give www or nobody sudo privilege anyway!).
>>>>>> All this talk about sudo not working made me curious -- why shouldn't
>>>> it
>>>>>> work?  It will, and a well configured sudo offers a very fine level
>> of
>>>>>> control -- though whether one wants to do it is another question
>>>>>>
>>>>>> # visudo
>>>>>> Defaults:www-data       !lecture
>>>>>> Defaults:www-data       !authenticate
>>>>>> www-data ALL = (kenneth) /usr/bin/touch /tmp/sudoer.apache
>>>>>>
>>>>>> The first two lines get rid of sudo's usual prompts, since it will
>>>> never
>>>>>> run interactively, & the last specifies a single command + argument
>>>>>> www-data is allowed to run as kenneth (you can use shell-style globs)
>>>>>>
>>>>>> # sudo.php
>>>>>> <?php
>>>>>> header('Content-type: text/plain');
>>>>>> $f = '/tmp/sudoer.apache';
>>>>>> system("sudo -u kenneth /usr/bin/touch $f");
>>>>>> print "\n$f exists? " . (bool) file_exists($f);
>>>>>>
>>>>>> kenneth at gilgamesh:~$ elinks --dump http://localhost/tmp/sudo.php
>>>>>>    /tmp/sudoer.apache exists? 1
>>>>>> kenneth at gilgamesh:~$ ls -l /tmp/sudoer.apache
>>>>>> -rw-r--r-- 1 kenneth kenneth 0 2009-07-30 19:52 /tmp/sudoer.apache
>>>>>>
>>>>>> So on debian, www-data successfully created a file as kenneth.  On
>>>> FreeBSD
>>>>>> I think www/nobody/whatever has a /bin/false shell, so there it won't
>>>>>> work.  Of course, you shouldn't do it on shared hosts, and I'm sure
>>>>>> somebody will tell me you shouldn't do it at all, but its not due to
>> a
>>>>>> technical limitation
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> New York PHP User Group Community Talk Mailing List
>>>>>> http://lists.nyphp.org/mailman/listinfo/talk
>>>>>>
>>>>>> http://www.nyphp.org/show_participation.php
>>>>> _______________________________________________
>>>>> New York PHP User Group Community Talk Mailing List
>>>>> http://lists.nyphp.org/mailman/listinfo/talk
>>>>>
>>>>> http://www.nyphp.org/show_participation.php
>>>>>
>>>> _______________________________________________
>>>> New York PHP User Group Community Talk Mailing List
>>>> http://lists.nyphp.org/mailman/listinfo/talk
>>>>
>>>> http://www.nyphp.org/show_participation.php
>>> _______________________________________________
>>> New York PHP User Group Community Talk Mailing List
>>> http://lists.nyphp.org/mailman/listinfo/talk
>>>
>>> http://www.nyphp.org/show_participation.php
>>>
>> _______________________________________________
>> New York PHP User Group Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> http://www.nyphp.org/show_participation.php
> 
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> http://www.nyphp.org/show_participation.php
> 



More information about the talk mailing list