2
I have a directory containing some scripts which I need to invoke from a web request. The scripts need elevated permissions to run.
My current thinking is to add the following lines to /etc/sudoers
:
Cmnd_Alias WEB_COMMANDS = /path/to/scripts
www-data ALL=(ALL) NOPASSWD: WEB_COMMANDS
Is this the correct approach to this problem? Or am I causing a potential security vulnerability?
Using CentOS 7, if that makes any difference.
Thanks for your advice. The library these scripts need to talk to is adamant that elevated permissions are required. I will check the capabilities info though in case that does turn out to work. If not, would it be sufficient to set the scripts' owner to root and permissions to 755 to prevent anyone from modifying them? – Sam Hastings – 2018-03-09T15:14:10.080
Tried upvoting your answer but can't do so with less than 15 reputation :-) – Sam Hastings – 2018-03-09T15:21:41.433
@SamHastings I'd say 755 is too open. Consider everything those scripts do. Could it be problematic if it were run when they weren't supposed to? I'd say unless you know you need more open access, 0700. I typically will do 0775 or 0770, but when I'm dealing with passwordless sudo I tend to be extra paranoid. – Duncan X Simpson – 2018-03-09T15:45:31.207