how do i perform root actions from non-root account?
I want to be able to restart services from a php-script. running under the www-user account.
What's the preferred way to perform these actions?
I recon I can place create a file with que'd commands, read by CRON, but the solution itches.
What I'm thinking of is a tiny service, running under root, allowing predefined "methods" so arbitrary root actions cannot be executed.
Any tool out there for this?
Solution 1:
You could reinvent the wheel, but honestly, I use passwordless sudo for this. For example, my monitoring system needs to be able to run a command to check the hardware RAID. This requires root privilege, but I don't want to run the whole monitoring system as root, so instead I have in sudoers
a line that says
nagios ALL=(root) NOPASSWD: /usr/lib/nagios/plugins/check_md_raid
and then run the command sudo /usr/lib/nagios/plugins/check_md_raid
as the monitoring user, when I need to check the RAID.
You could have a sudoers line that said
www-user ALL=(root) NOPASSWD: /etc/rc.d/init.d/myservice
then have php execute sudo /etc/rc.d/init.d/myservice restart
.
Solution 2:
Take a look at sudo: it allows to specify actions that can be performed as another user (root in your case).
You can for example add to your/etc/sudoers
(don't edit the file directly use visudo
)
www-user-account ALL= NOPASSWD: /usr/bin/mypredefinedaction
See man sudo
for the details and syntax of the file