how do i perform root actions from non-root account?

I want to be able to restart services from a php-script. running under the www-user account.

What's the preferred way to perform these actions?

I recon I can place create a file with que'd commands, read by CRON, but the solution itches.

What I'm thinking of is a tiny service, running under root, allowing predefined "methods" so arbitrary root actions cannot be executed.

Any tool out there for this?

Solution 1:

You could reinvent the wheel, but honestly, I use passwordless sudo for this. For example, my monitoring system needs to be able to run a command to check the hardware RAID. This requires root privilege, but I don't want to run the whole monitoring system as root, so instead I have in sudoers a line that says

nagios  ALL=(root) NOPASSWD: /usr/lib/nagios/plugins/check_md_raid

and then run the command sudo /usr/lib/nagios/plugins/check_md_raid as the monitoring user, when I need to check the RAID.

You could have a sudoers line that said

www-user    ALL=(root) NOPASSWD: /etc/rc.d/init.d/myservice

then have php execute sudo /etc/rc.d/init.d/myservice restart.

Solution 2:

Take a look at sudo: it allows to specify actions that can be performed as another user (root in your case).

You can for example add to your/etc/sudoers (don't edit the file directly use visudo)

www-user-account ALL= NOPASSWD: /usr/bin/mypredefinedaction

See man sudo for the details and syntax of the file