sudo:PERM_ROOT:setresuid(0,-1,-1):不允许操作

所以问题是apache.err出现错误。</ p>

我可以作为shell中的用户执行。</ p>

  root @ ubuntu:〜#su www-data 
-www @ ubuntu:/ root $ sudo / usr / local / bin / metronomectl restart
Stopped
Started
-data @ ubuntu:/ root $
</ code> </ pre>

但是当我通过php尝试相同的命令时</ p> \ n

  exec('sudo / usr / local / bin / metronomectl restart'); 
</ code> </ pre>

我收到错误</ p>

  sudo:PERM_ROOT:setresuid(0,-1,-1):不允许操作
</ code> </ pre>

用户www-data IS 在sudoers。</ p>

我在这里结束了我的智慧......
非常感谢你的帮助。</ p>

PS。 请询问您是否需要任何额外信息。</ p>

编辑:</ p>

  root @ ubuntu:〜#uname -a 
Linux ubuntu 3.13。 0-24-generic#46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU / Linux
root @ ubuntu:〜#
</ code> </ pre>

sudoers line:</ p>

  www-data ALL = NOPASSWD:/ usr / local / bin / metronomectl 
</ code> </ pre>
</ div>

展开原文

原文

So the problem is that the error comes up in apache.err.

I CAN execute as the user in the shell.

root@ubuntu:~# su www-data
www-data@ubuntu:/root$ sudo /usr/local/bin/metronomectl restart
Stopped
Started
www-data@ubuntu:/root$

but when i try the same command through php

exec('sudo /usr/local/bin/metronomectl restart');

i get the error

sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted

user www-data IS in sudoers.

I'm at the end of my wits here... Any help is appreciated.

PS. Please ask if you need any extra info.

edit:

root@ubuntu:~# uname -a
Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:~#

sudoers line:

www-data ALL= NOPASSWD: /usr/local/bin/metronomectl

3个回答



您可以直接禁用对sudo的限制:</ p>

  &lt; IfModule mpm_itk_module&gt; 
#允许使用“sudo”
LimitUIDRange 0 65534
LimitGIDRange 0 65534
&lt; / IfModule&gt;
</ code> </ pre>
</ div>

展开原文

原文

Instead of disabling mpm-itk outright, you could simply disable its limits on sudo:

<IfModule mpm_itk_module>
    # Permit using "sudo"                             
    LimitUIDRange 0 65534
    LimitGIDRange 0 65534
</IfModule>



通过在apache中禁用mpm_itk模块来解决。</ p>
</ div>

展开原文

原文

Fixed by disabling mpm_itk module in apache.




由于mpm-itk必须能够setuid(),因此它以root身份运行(尽管受POSIX功能的限制) 和seccomp v2尽可能)</ p>
</ blockquote>

看起来seccomp v2支持(在Linux 3.5.0或更高版本上)完全打破了 sudo </ code>或 crontab </ code>,因为他们在内部使用 setuid </ code>系统调用。</ p>

解决方法是不使用 mpm_itk </ code>,或者避免执行这样的二进制文件。</ p>

参考文献: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738131 </ p>
</ div>

展开原文

原文

Since mpm-itk has to be able to setuid(), it runs as root (although restricted with POSIX capabilities and seccomp v2 where possible)

It looks like that seccomp v2 support (when on Linux 3.5.0 or newer) is completely breaks the execution of things like sudo or crontab since they use the setuid syscall internally.

A workaround is to not use mpm_itk, or avoid executing such binaries.

Refs: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738131

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐