user `pp` not can reboot server, but he exists into the file "/etc/sudoers"

Support for security such as Firewalls and securing linux
Post Reply
Windows
Posts: 59
Joined: 2021/06/16 13:20:01

user `pp` not can reboot server, but he exists into the file "/etc/sudoers"

Post by Windows » 2022/04/18 09:24:31

hello, into the file "/etc/sudoers" I add this line:

Code: Select all

user `pp` not can reboot server, but he exists into the file "/etc/sudoers"
but when user `pp` execute the command:

Code: Select all

reboot
the result is:

Code: Select all

[pp@localhost ~]$ systemctl reboot -i
	==== AUTHENTICATING FOR org.freedesktop.login1.reboot-multiple-sessions ===
	Authentication is required for rebooting the system while other users are logged in.
	Authenticating as: Apache (apache)
	Password:
what I need change for enable the user `pp` for run any command without password?


This is my file /etc/sudoers:

Code: Select all

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## 
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using 
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home
Defaults    match_group_by_gid

# Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults    always_query_group_plugin

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## 	user	MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root	ALL=(ALL) 	ALL
pp	ALL=(ALL)	NOPASSWD:ALL

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel	ALL=(ALL)	ALL

## Same thing without a password
# %wheel	ALL=(ALL)	NOPASSWD: ALL

## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: user `pp` not can reboot server, but he exists into the file "/etc/sudoers"

Post by TrevorH » 2022/04/18 11:22:04

You've allowed the user 'pp' to do anything at all at any time without using a password? So anyone that can get to be 'pp' can do anything they want....

You need to use sudo to use sudo. So your command needs to be sudo reboot not just reboot
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Windows
Posts: 59
Joined: 2021/06/16 13:20:01

Re: user `pp` not can reboot server, but he exists into the file "/etc/sudoers"

Post by Windows » 2022/04/18 14:17:34

TrevorH wrote:
2022/04/18 11:22:04
...You need to use sudo to use sudo.
thanks.

I create the user `pp` for do test.

But my target is run the command

Code: Select all

reboot
from https://web/reboot.php

But forever fail because https://web/reboot.php run as apache user.

Then I edit the file /etc/sudoers and ADD the user apache in this form:

Code: Select all

## Allow root to run any commands anywhere 
root	ALL=(ALL) 	ALL
pp	ALL=(ALL)	NOPASSWD:ALL
apache	ALL=(ALL)	NOPASSWD:ALL
php	ALL=(ALL)	NOPASSWD:ALL
yes, I simply ADD the user apache

But result is the same:
CODE "1" into
$e
when I run

Code: Select all

$Q = exec('sudo reboot', $r, $e);
CODE "127" into
$e
when I run

Code: Select all

$Q = exec(reboot', $r, $e);
Then yet I can't reboot server from https://web/reboot.php

Here my current file /etc/sudoers is this:

Code: Select all

## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
## 
## This file must be edited with the 'visudo' command.

## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using 
## wildcards for entire domains) or IP addresses instead.
# Host_Alias     FILESERVERS = fs1, fs2
# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem


## Command Aliases
## These are groups of related commands...

## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable

## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb

## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 

## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe

# Defaults specification

#
# Refuse to run if unable to disable echo on the tty.
#
Defaults   !visiblepw

#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults    always_set_home
Defaults    match_group_by_gid

# Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults    always_query_group_plugin

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults   env_keep += "HOME"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## 	user	MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root	ALL=(ALL) 	ALL
pp	ALL=(ALL)	NOPASSWD:ALL
apache	ALL=(ALL)	NOPASSWD:ALL
php	ALL=(ALL)	NOPASSWD:ALL


## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS

## Allows people in group wheel to run all commands
%wheel	ALL=(ALL)	ALL

## Same thing without a password
# %wheel	ALL=(ALL)	NOPASSWD: ALL

## Allows members of the users group to mount and unmount the 
## cdrom as root
# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom

## Allows members of the users group to shutdown this system
# %users  localhost=/sbin/shutdown -h now

## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
how I can get my target using PHP in this machine:

Code: Select all

[root@localhost ~]#
[root@localhost ~]# lscpu
Architecture:          armv7l
Byte Order:            Little Endian
CPU(s):                4
On-line CPU(s) list:   0-3
Thread(s) per core:    1
Core(s) per socket:    4
Socket(s):             1
Model:                 4
Model name:            ARMv7 Processor rev 4 (v7l)
CPU max MHz:           1400.0000
CPU min MHz:           600.0000
BogoMIPS:              38.40
Flags:                 half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm crc32
[root@localhost ~]#

[root@localhost ~]# more /etc/redhat-release
CentOS Linux release 7.9.2009 (AltArch)
[root@localhost ~]#

[root@localhost ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Mar 24 2022 14:58:21
[root@localhost ~]#

[root@localhost ~]# php -v
PHP 5.4.16 (cli) (built: Apr  1 2020 06:27:24)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
[root@localhost ~]#
and here my code PHP:

Code: Select all

<?php
SESSION_START();
error_reporting(-1);
ini_set('display_errors', '1');

echo '<pre>';
$Q = exec('sudo reboot', $r, $e);		// return 1 (error code)
var_export($e);
echo '<hr />';
var_dump($e);

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: user `pp` not can reboot server, but he exists into the file "/etc/sudoers"

Post by TrevorH » 2022/04/18 15:24:27

To *use* sudo yuou actually have to *use* sudo. That is sudo reboot NOT reboot.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Windows
Posts: 59
Joined: 2021/06/16 13:20:01

Re: user `pp` not can reboot server, but he exists into the file "/etc/sudoers"

Post by Windows » 2022/04/18 16:03:42

TrevorH wrote:
2022/04/18 15:24:27
... is sudo reboot NOT reboot.
master please give a look to my code PHP:

Code: Select all

<?php
SESSION_START();
error_reporting(-1);
ini_set('display_errors', '1');

echo '<pre>';
$Q = exec('sudo reboot', $r, $e);		//1
var_export($e);
echo '<hr />';
var_dump($e);
echo '$Q:';
var_dump($Q);
you can see I use

Code: Select all

sudo reboot;
then my browser show:

Code: Select all

1int(1)
$Q:string(0) ""

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: user `pp` not can reboot server, but he exists into the file "/etc/sudoers"

Post by TrevorH » 2022/04/18 16:39:43

I would suggest using full paths to everything, so not sudo but /bin/sudo and not reboot but /sbin/reboot. Also I suspect selinux probably won't like the thought you you trying to reboot the machine from within a web browser. Check the audit log with aureport -a and see if there are entries with the right timestamp for your last attempt.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Windows
Posts: 59
Joined: 2021/06/16 13:20:01

Re: user `pp` not can reboot server, but he exists into the file "/etc/sudoers"

Post by Windows » 2022/04/18 17:28:44

TrevorH wrote:
2022/04/18 16:39:43
... I suspect selinux probably won't like the thought you you trying to reboot the machine from within a web browser. Check the audit log...
thanks


my code PHP:

Code: Select all

<?php
exec('sudo reboot', $r, $e);
result: 1
value of $Q = empty

my /etc/sudoers:

Code: Select all

...
## Allow root to run any commands anywhere 
root	ALL=(ALL) 	ALL
pp	ALL=(ALL)	NOPASSWD:ALL
apache	ALL=(ALL)	NOPASSWD:ALL
php	ALL=(ALL)	NOPASSWD:ALL
...
my /etc/selinux/config:

Code: Select all

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.

#SELINUX=enforcing
SELINUX=disabled

disabled
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
then from terminal conected to "REMOTE HOST" I run the command:

Code: Select all

journalctl -f
I open from OTHER MACHINE with W10 and connected from WIFI:

https://192.168.20.67/rb/reboot.php

terminal show:

Code: Select all

Apr 18 12:19:20 localhost sudo[2206]: pam_unix(sudo:auth): conversation failed
Apr 18 12:19:20 localhost sudo[2206]: pam_unix(sudo:auth): auth could not identify password for [apache]
but please note: I have into the file /etc/sudoers

Code: Select all

...
apache	ALL=(ALL)	NOPASSWD:ALL
...
how I can restart using https://web/reboot.php ?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: user `pp` not can reboot server, but he exists into the file "/etc/sudoers"

Post by TrevorH » 2022/04/18 17:41:12

Read my last post again.

And we really do not recommend disabling selinux. It's there to protect you. Use it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Windows
Posts: 59
Joined: 2021/06/16 13:20:01

Re: user `pp` not can reboot server, but he exists into the file "/etc/sudoers"

Post by Windows » 2022/04/18 17:46:32

TrevorH wrote:
2022/04/18 17:41:12
Read my last post again.

And we really do not recommend disabling selinux. It's there to protect you. Use it.
thanks.

master this PC is into my room, connected by WIFI to my WLAN, not risk of security.

when I run

Code: Select all

exec('/bin/sudo /sbin/reboot', $r, $e);		//1
terminal running

Code: Select all

journalctl -f
again say:

Code: Select all

Apr 18 12:47:09 localhost sudo[2515]: pam_unix(sudo:auth): conversation failed
Apr 18 12:47:09 localhost sudo[2515]: pam_unix(sudo:auth): auth could not identify password for [apache]

Post Reply