I'm a web developer, freelancer, author, speaker, entrepreneur, technical reviewer and blogger based in the North East, living in a village just outside of Chester-le-Street.

My blog

Sudo Shell Commands via PHP - for "One Click" sysadmin tasks

Regular readers of this blog may remember that I've previously setup a number of scripts to automate processes such as provisioning a new hosting account, and deploying a site from code within version control. The drawback to these approaches is that they require root access and a shh access. We've got some projects in the pipeline where we need to do such tasks from a web browser, either by submitting a form or clicking a button. I've recently found a way to do this from the browser.

Visudo Cleanup

We are going to need to use visudo to edit our sudoers file. One of our servers had vim set as the default editor, the other had nano. The first stage would be to set visudo to use an editor you are comfortable with, for me, this was nano.

We need to set our default editor to nano in our bash settings file.

 
nano ~/.bashrc

At the end of the file, add the following line:

 
export EDITOR="nano"

Then we need to refresh the active settings with the one in the file.

 
source ~/.bashrc

We can now edit the sudoers file using nano by running:

 
sudo -E visudo

At the top of this file we should add the following line, this will force visudo to use nano without the -E paramater, which uses our environment variables.

 
Defaults editor=/usr/bin/nano

Command Alias

We want the webserver to only execute certain commands, such as a shell script to create a hosting account. The way sudo works is that if you run a command with elevated privilages, any commands or scripts called by the first command, also get elevated privilages. So while our hosting script also needs the user to have privilages for /etc/init.d/apache2, to restart and reload it, we only need to give permissions to the script which in turn calls this command.

 

We can create a command alias in our sudoers file, which essentially groups together a number of commands or scripts we wish the user to run as sudo.

sudo visudo

In the appropriate section, add the following line:

 

Cmnd_Alias AUTOWEB = /var/autoweb/hosting, /var/autoweb/svndeploy

User permissions

At the bottom of the sudoers file, we want to add a new line giving www-data (the web server user) sudo access to the autoweb commands. We also don't want the user to be prompted to enter a password, as it will be called by clicking a web page, not by a user sitting at a command prompt, ready to enter a password.

www-data    ALL=(ALL) NOPASSWD: AUTOWEB

Automated scripts

We need to create the autoweb folder in the /var folder, and within there create any scripts we wish the web server to run. Such as the following examples:

Call from the web

We then need a PHP script to call the shell script, obviously, we would want to secure the file, but you get the gist.

Comments, suggestions, questions?

Please let me know your comments, suggestions and any questions, I'm happy to help and also interested to hear your take on the process, alternative methods, and ways I could improve.

Donate

Like this tool, want to give me some pennies?

Posted by Michael on 20th May 2010 at 11:11

There are no comments on this post yet.

Add a comment