Fastest Way to Determine User Permissions in /etc/sudoer
If sudo -v
succeeds, the user has been authorized to use sudo
; if it fails, then the user has not been authorized to use sudo
.
# su user -c 'setsid sudo -v </dev/null'; echo $?
[sudo] password for user:
1
# su root -c 'setsid sudo -v </dev/null'; echo $?
0
Without setsid, sudo
will try to ask for the password interactively even if stdin/stdout/stderr have all been redirected. If you don't have a controlling terminal, this isn't needed, but you will probably need something other than su
to change user permissions, like fork+setreuid.
User Permissions in Ubuntu
It seems like your user account has not been added to the sudoers file, hence you don’t have permission to edit the sudoers file or switch to super user.
Ask somebody (who already is in sudoers list) to add you in the sudoers list. and then you will have the appropriate permissions to do stuffs using sudo.
Thanks.
smartest way to use config /etc/sudoers for www-data
It's a very bad idea to set www-data
as a sudoer, even more so as a sudoer without password. It would mean if anyone somehow managed to trigger some PHP code through the web server (any kind of Remove Code Execution vulnerability), they can take over the entire server since they can perform commands as SUDO without needing a password on your entire server.
Here are a couple of possible alternatives:
Depending on what the files are, you could give
www-data
the needed permission to those specific file.Work with queues. Let PHP add the action to a queue, then have some script (could be called using CRON every few seconds, or you create a different service running as a daemon) read and perform the actions in the queue. Then you can also limit and verify the actions it can perform before it performs them.
What is the best way for checking if the user of a script has root-like privileges?
Under the "Easier to Ask Forgiveness than Permission" principle:
try:
os.rename('/etc/foo', '/etc/bar')
except IOError as e:
if (e[0] == errno.EPERM):
sys.exit("You need root permissions to do this, laterz!")
If you are concerned about the non-portability of os.geteuid()
you probably shouldn't be mucking with /etc
anyway.
Safely granted user sudo access
The problem is not just that vim
can run external commands.
vim
is an editor, so if it runs as root
, you could directly modify system files like /etc/passwd
and /etc/shadow
, which would allow you to reset the password on any account you want, including the root account.
More specifically, I could start vim
with the command /usr/bin/vim /etc/httpd/confs/httpd.conf
, and then immediately type :e /etc/passwd
and now I can write to your /etc/passwd
.
If you are just trying to secure the one file /etc/httpd/confs/httpd.conf
, you could use Access Control Lists
and add the user to the ACL for that file.
You could also make that file writeable by a non-root group with chmod g+w
, and add the user to that group.
Related Topics
Counting Lines Starting with a Certain Word
Cannot Find Module 'Firebase-Admin' When Trying to Deploy Firebase Functions
How to Simulate a Usb Printer to Lpt on Linux
Error When Compiling Linux Kernel 3.2 for Arm
Replace a String in a File with Contents Copied from Another File
Using Ebpf to Measure CPU Mode Switch Overhead Incured by Making System Call
Starting with Kde Frameworks 5 and Qt Creator
Shell Must Parse Ls -Al Output and Get Last Field (File or Directory Name) Any Solution
How to Enable or Configure Ftrace Module
Can't Load Mod_Wsgi Compiled for Python 3
Syscall Hooking on Kali Linux (Kernel Version 5)
How to Clone a Git Repository Which Is Present on a Remote Linux Server into Windows
How to Print Multiple Variables Using Printf
Phony Targets for Parallel Execution of Make
How to Stop Page Cache for Disk I/O in My Linux System
Difference Between The Commands "Gcloud Compute Ssh" and "Ssh"
How to Issue "Module Load" in a Shell or Perl Script (I.E., Non-Interactively)