4

I'm using nginx webserver and I'm writing a script that includes file creation but www-data is not able to create the file even I give permission in the sudoers list.

Inside my sudoers file:

www-data ALL=(ALL) NOPASSWD: /usr/bin/php, /usr/bin/python

I even tried to give ALL permission but still it can't able to create the file via browser..

www-data ALL=(ALL) NOPASSWD: ALL

My simple script just want to create a file and it works via terminal but not on browser..

<?php
$data = "test";
shell_exec("sudo /bin/echo $data > /var/www/api/v3/monitoring/iam/temp");
Mboy
  • 49
  • For the sake of future visitors, as this one is popping it out here too frequently: running web servers/processes as root is a very bad idea. – Rui F Ribeiro Dec 03 '15 at 07:48

2 Answers2

5

If you type sudo echo $data >file your shell will first open the output file as the normal user and then run sudo echo with output connected to the already opened file. Therefore the echo command is run as root, but file is opened as the normal user.

You need a construct like sudo sh -c 'echo $data >file'.

Maybe it is easier to give you user write permission to the given directory using chmod.

michas
  • 21,510
  • Thank you so much @michas! I followed you and updated the sudoers file to

    www-data ALL=(ALL) NOPASSWD: /usr/bin/php, /usr/bin/python, /bin/sh

     – Mboy Dec 03 '15 at 06:48
  • 1
    Be aware that there is a good reason not to run you web server as root. If you give your user full sudo powers security is pretty much the same as running you server as root altogether. – michas Dec 03 '15 at 06:51
  • Especially insecure to give up root permissions to 3 command interpreters. I agree with michas, change the permissions on the directory, don't give the webserver root access on those command interpreters. That's like giving full root access to the web server user. – RobertL Dec 03 '15 at 06:59
  • @RobertL and michas - I appreciate your reminders but I will keep this for now since this is just for internal purposes only and not accessible to others.. I will surely look into the security issues in this project .. Thank you so much – Mboy Dec 03 '15 at 07:06
  • anyway I change my mind.. :)

    I did

    chown -R root:www-data /var/www/ and chmod -R 775 /var/www/

    and then removed the www-data ALL=(ALL) NOPASSWD: /usr/bin/php, /usr/bin/python, /bin/sh

     – Mboy Dec 03 '15 at 07:13
0

I think that the warning about running a web server process as root is a bad idea should be taken into account. With that caveat, to answer the OP, for me the key was to add the directory to the sudoers file for where the file was to be generated. For example, if the file is to be written to the directory /var/www/api/v3/monitoring/iam/temp, then the sudoers file could have the following entry.

www-data ALL=ALL NOPASSWD:/var/www/api/v3/monitoring/iam/temp

In this case, at least, the danger of giving the web server root privileges is contained to one directory. And I did not need a sudo preceding the exec command. For example, the php exec would just be as follows.

<?php
$data = "test";
shell_exec("echo $data > /var/www/api/v3/monitoring/iam/temp");
bkudrle
  • 1