1

I've the following problem.

When I launch df command being a usual user of machine it outputs what I need:

enter image description here

But when I try to launch it from another user (www-data in this case) I have problems with permissions:

enter image description here

I understand that this is because user www-data doesn't have enough privileges. But I don't want to up his privileges.

It would be perfect to allow this user to launch only some programs as root without entering the root password without increasing its privileges. It's ok if I'll be asked to enter root's password one time and will be able to run command with full privileges without entering root password anymore.

Note:

I have root access to machine.

Can it be reached somehow?

Tebe
  • 185

2 Answers2

0

This is not because www-data doesn't have enough privileges, it's because www-data doesn't own the files question. Permissions for both locations are likely set to drwx------, meaning only the owner can read the file. gvfs is used for a mount point for Filesystems in Userspace (FUSE) and is therefore owned by a user and /media/sh/... is apparently owned by the user sh. Since /dev/sda4 was mounted to a mount point owned by sh, 'www-data' can't traverse it. Even to a user with elevated privileges the gvfs file system will generally be inaccessible.

For the /media/sh/... issue, you could change the permissions for that mount point or simply unmount and re-mount /dev/sda4 to another mount point that has drwxr-xr-x permissions. For gvfs, you can't traverse it as another user. There are work arounds but they shouldn't be implemented on a multi-user system.

Red Anne
  • 539
  • it seems you are right to some extent. Launching program as sudo -u www-data df suffers from this problem, but it can be solved by launching it as sudo -u www-data sudo df – Tebe Jan 14 '15 at 13:13
  • You seem to misunderstand. There is no "process in question". 'www-data' simply does not have access, as the question indicated. The program is being run as 'www-data', not as root. – psusi Jan 14 '15 at 21:10
  • @psusi, I've edited to indicate "files" rather than "processes"; however, with regard to the gvfs, the file systems themselves are processes running in userspace – Red Anne Jan 14 '15 at 21:36
  • Sure, but that's neither here nor there. The issue is that the permissions do not give www-data access; it is not "acting as root via sudo'; sudo is being used here to become www-data, not root. – psusi Jan 14 '15 at 23:55
  • Sorry, that was confusing. The point was that no other user can access the gvfs systems other than the owner, even with elevated privileges, though you're right, that's not really relevant in the sentence I put it in; editing to clarify. – Red Anne Jan 15 '15 at 02:28
0

You want to modify the /etc/sudoers file to allow anyone to run df with sudo without needing to know the root password.

See How to run a specific program as root without a password prompt? for more information to get that set up.

Community
  • 1
jas_raj
  • 216