From PHP/Apache, exec() or system() program as root: "sudo: unable to open audit system: Permission denied"

Timothy Miller picture Timothy Miller · Sep 6, 2011 · Viewed 11.9k times · Source

I have been spending half a day trying to figure this out, and I've done a lot of research. I'm also familiar with many of the existing discussions on this topic, such as this one: How to run PHP exec() as root?

Unfortunately, none of the suggestions I've found seem to work for me.

First of all, I am writing something to a spec, so I can't really avoid doing this. Also, all machines will exist on a private network that is not connected to the internet. While it's important to have SOME security, it's mostly necessary to prevent mistakes. My objective is to configure some "thin servers". Via a PHP script, I need to be able to change the network config (static or DHCP) and restart networking.

The first thing I tried was to write a C program that is SUID root. It reads, modifies, and writes a network config file. If I run it as a regular user, it works just fine and can access and modify a file owned by root. But if I run it from a PHP script, I get access errors. It appears that Apache prevents SUID root somehow.

Based on suggestions from other discussions, I tried the "sudo" method. Temporarily, I added this to /etc/sudoers: apache ALL=(ALL) NOPASSWD: ALL

The error I get is this: sudo: unable to open audit system: Permission denied

According to this page in Russian, this is happening because systems like RHEL (I'm using Fedora) default to requiretty for sudoers. So I added this line to /etc/sudoers: Defaults !requiretty

I still get the same error. sudo: unable to open audit system: Permission denied

I'm completely stymied here. That is, unless I want to run Apache itself as root, something that would be more inconvenient than anything else.

Can anyone make any suggestions here? I realize what I'm trying to do is weird. And I bet some of you will point me to some existing system for remotely configuring Fedora machines (and now that I think of it, I'm going to go look into that right now).

BTW, I am running SELinux, because that is how Fedora 15 is configured by default.

Thanks.

EDIT:
I found this tutorial:
http://www.cyberciti.biz/faq/howto-disable-httpd-selinux-security-protection/

Unfortunately, when I run "setsebool httpd_disable_trans 1", I get the error:
Could not change active booleans: Invalid boolean

I also tried directly editing "/etc/selinux/targeted/booleans", which didn't exist, and restarting apache, but that didn't work either.

Answer

n.a picture n.a · Oct 30, 2012

Did you try setenforce 0 (disable SELinux temporarily), audit2allow, or fully disable SELinux? See: PHP webpage doesn't launch unix command even after updated sudoers