Ssh – Allow www-data to use another user – sudo or ssh

Apache2Securitysshsusudo

I would like to allow my PHP script (hosted with apache2) to execute commands with another user account.

I don't want another website hosted on the server to be able to connect to that another user account.

If i add a rule in /etc/sudoers then it will allow anyone of the website to use that user.

The solution i came was to use ssh, with a private key and public key. The PHP script launch a ssh connection with the server it is hosted on, on the desired user account.

Is there another way than my solution with ssh ?

Best regards

Best Answer

My gut feeling tells me that what you're doing is a terrible idea. But actually you haven't given enough background on the reason why you'd want that and what the use case is to tell this really.

But your thought about sudo is wrong whether this is a good idea or not.

A sudoers entry is defined as:

  USER HOST = [(RUNAS)] [NOPASSWD:] [!] CMD[,...]

Which means that the user USER is being allowed to run CMD as user RUNAS (if given). So you could construct your sudoers entry like this:

  www-data YOUR-HOSTNAME = (YOUR-USER) NOPASSWD: /path/to/command

This will allow the user www-data on the host specified (or ALL if you give that as YOUR-HOSTNAME) to execute the program /path/to/command as user YOUR-USER without a password.

You can also supply ALL as command, allowing every command YOUR-USER has access to.

Example

With your given exemplaric values a sudoers line would consist of the following (assuming mydeployer as the hostname and thedeployer as the username):

  www-data mydeployer = (thedeployer) NOPASSWD: ALL

Related Solutions

Linux – How to allow one user to su to another without allowing root access

Yes, this is possible.

In /etc/sudoers the item immediately following the equals is the user that the command will be allowed to execute as.

tom  ALL=(oracle) /bin/chown tom *

The user (tom) can type sudo -u oracle /bin/chown tom /home/oracle/oraclefile

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Best Answer

Example

Related Solutions

Linux – How to allow one user to su to another without allowing root access

Ssh-agent forwarding and sudo to another user

Related Topic