Editing sudoers.d to allow www-data run a specific file
I am running an Ubuntu server using Amazon AWS and I am trying to allow www-data to run a specific file that will push code to my git repository.
The file is under /var/ and I named it push.sh. I made a file under sudoers.d and added the following line using visudo:
www-data ALL=NOPASSWD: /var/push.shWhenever I run
sudo -u www-data sudo -lI get the following response, "User www-data may run the following commands on (serverip): (root) NOPASSWD: /var/push.sh". However when I try to run this code
sudo -u www-data sudo sh /var/push.shI am being asked to enter a password for www-data.
Also when I make a php file to run the code using shell_exec
sh /var/push.shworks fine, but
sudo sh /var/push.shdoes not. I would do it this way but the problem is I need to use sudo in order for the git to push properly.
I am probably missing something simple but I've been stuck on this for hours. Any help would be appreciated, thanks.
P.S. let me know if i need to give more information
21 Answer
The entry
www-data ALL=NOPASSWD: /var/push.shallows www-data to execute exactly the command /var/push.sh without a sudo password. It does not extend the ability to sudo sh /var/push.sh or even sh /var/push.sh
To work the way that you want, you must make /var/push.sh executable in its own right i.e.
make sure it has the appropriate shebang at the top (presumable
#!/bin/shsince you are trying to run it explicitly withsh)make it executable by at least
www-data
Then invoke it directly as sudo -u www-data /var/push.sh
More in general
"Zoraya ter Beek, age 29, just died by assisted suicide in the Netherlands. She was physically healthy, but psychologically depressed. It's an abomination that an entire society would actively facilitate, even encourage, someone ending their own life because they had no hope. Th…"
