From PHP/Apache, exec() or system() program as root: "sudo: unable to open audit system: Permission denied"
Solution 1
Did you try setenforce 0 (disable SELinux temporarily), audit2allow, or fully disable SELinux? See: PHP webpage doesn't launch unix command even after updated sudoers
Solution 2
This worked for me after searching for hours. Good Luck! :)
semanage fcontext -a -t httpd_sys_script_exec_t '/whatever/scripts(/.*)?'
restorecon -R -v /whatever/scripts/
https://stackoverflow.com/a/15424003/11249696
Timothy Miller
I am an Assistant Professor of Computer Science at Binghamton University (SUNY). I received my PhD from Ohio State in 2012. Prior to graduate school, I worked in industry for 9 years doing software engineering and digital circuit design (among other things). I am the principal designer of a graphics accelerator used in air traffic control display systems around the world, and I founded the Open Graphics Project. I currently do research in Computer Architecture, focusing on energy efficiency and reliability, making heavy use of machine learning and closed-loop control systems.
Updated on June 30, 2022Comments
-
Timothy Miller almost 2 years
I have been spending half a day trying to figure this out, and I've done a lot of research. I'm also familiar with many of the existing discussions on this topic, such as this one: How to run PHP exec() as root?
Unfortunately, none of the suggestions I've found seem to work for me.
First of all, I am writing something to a spec, so I can't really avoid doing this. Also, all machines will exist on a private network that is not connected to the internet. While it's important to have SOME security, it's mostly necessary to prevent mistakes. My objective is to configure some "thin servers". Via a PHP script, I need to be able to change the network config (static or DHCP) and restart networking.
The first thing I tried was to write a C program that is SUID root. It reads, modifies, and writes a network config file. If I run it as a regular user, it works just fine and can access and modify a file owned by root. But if I run it from a PHP script, I get access errors. It appears that Apache prevents SUID root somehow.
Based on suggestions from other discussions, I tried the "sudo" method. Temporarily, I added this to /etc/sudoers: apache ALL=(ALL) NOPASSWD: ALL
The error I get is this: sudo: unable to open audit system: Permission denied
According to this page in Russian, this is happening because systems like RHEL (I'm using Fedora) default to requiretty for sudoers. So I added this line to /etc/sudoers: Defaults !requiretty
I still get the same error. sudo: unable to open audit system: Permission denied
I'm completely stymied here. That is, unless I want to run Apache itself as root, something that would be more inconvenient than anything else.
Can anyone make any suggestions here? I realize what I'm trying to do is weird. And I bet some of you will point me to some existing system for remotely configuring Fedora machines (and now that I think of it, I'm going to go look into that right now).
BTW, I am running SELinux, because that is how Fedora 15 is configured by default.
Thanks.
EDIT:
I found this tutorial:
http://www.cyberciti.biz/faq/howto-disable-httpd-selinux-security-protection/Unfortunately, when I run "setsebool httpd_disable_trans 1", I get the error:
Could not change active booleans: Invalid booleanI also tried directly editing "/etc/selinux/targeted/booleans", which didn't exist, and restarting apache, but that didn't work either.