chevalvenus
Posts: 2
Joined: Tue Jul 10, 2018 12:50 pm

Permission issue for www-data

Tue Jul 10, 2018 12:59 pm

Hi all,
Like many other, I'm building a remote garage door with my son.

I read a lot of tuto on that.

Everything works fine, only one issue.

I use a sudo command from php, so I need to give permission to www-data.

I change the sudoer for

Code: Select all

www-data ALL=(ALL) NOPASSWD: ALL
and it works like a charm.
But it's never a great option to provide too much permission for www-data.

So I try a lot of different syntaxes to let www-data launch as sudo only my script, like this syntax :

Code: Select all

www-data ALL= NOPASSWD: /var/www/html/openDoor.py
And it does not work.

I may be missing something but I don't know what. Again, a lot of tuto on that, I tried almost all the syntaxes I could find without success.

BTW, I'm not on Internet, I'm on my own LAN so there isn't too much risk to keep the NOPASSWD ALL, but I'd rather understand why I cannot give permission for a specific script only.

Any help will be much appreciated.

Thanks
Chev

User avatar
DougieLawson
Posts: 35789
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Permission issue for www-data

Wed Jul 11, 2018 4:45 pm

Don't do that. It opens a massive security hole.

Look at why you think your (opendoor.py) python program needs sudo (hint: it probably doesn't). Look at pigpio/pigpiod as a way to allow non-privileged programs to do privileged stuff (by passing a message from the pigpio client program to the pigpiod server).
Note: Having anything humorous in your signature is completely banned on this forum. Wear a tin-foil hat and you'll get a ban.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

btidey
Posts: 1616
Joined: Sun Feb 17, 2013 6:51 pm

Re: Permission issue for www-data

Wed Jul 11, 2018 9:40 pm

I agree you want to look at the security implications more carefully, particularly for an item like a door opener.

The reason why your sudoer method wouldn't work is because the /var/www/html/openDoor.py is not an executable command by itself. It has to be run by python.

I suspect you are using sudo not because it is needed to run this program but because the program itself needs privileges like GPIO to do its work and www-data does not have those. You can avoid that by adding www-data to the gpio group, but you should still check the overall security implications.

Return to “Networking and servers”