0

I am building a server under Debian Bookworm that it is to be used basically to read and save old tapes. The concept is to have the box full of units and be seldomly used and, when this occurs use a web interface in order to avoid having keyboard and screen.

Apache and PHP have been installed and working fine. However I have problems with the PHP exec command when trying to execute systemctl reboot and systemctl poweroff, regardless of having added the following line into my sudoers file:

www-data ALL=NOPASSWD:/sbin/poweroff,/sbin/reboot

Result of exec is always a "Permission Denied" notification. Am I doing wrong or am I missing something? If so, how could I resolve the issue?

Thank you very much in advance

Improve this question
New contributor
Borg Drone is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.

1 Answer 1

Reset to default
1

There are three different concepts mixed here.

First of all, you added the wrong commands: systemctl reboot is not /sbin/reboot! Despite the similarity, it is a separate /bin/systemctl program that only happens to take the word 'reboot' as a command line parameter.

Second, /etc/sudoers only affects sudo. It does not automatically grant you privileges in any other way – all it does is permit you to sudo systemctl this or that to run the command under someone else's account (and with their privileges).

When the command is run without sudo, it still has the same original privileges as before, regardless of what you have in /etc/sudoers.

The password prompt you might see when running systemctl without sudo is shown by polkit (previously known as PolicyKit). It is a separate system from sudo, and it works in terms of "actions" rather than commands. Unlike sudo, the permissions for a polkit action are directly checked by whatever is performing the action (you don't become root when entering the password; rather, polkit has "allowed", "allowed with password", and "allowed with admin password" as three different access levels).

So you need to decide between the two options:

  • If you want to use sudo and /etc/sudoers, then your webpage needs to run the command with sudo prefixed.

  • If you want the command to work without sudo, then you need to write polkit rules instead of sudoers rules.

For polkit, you first need to determine the polkit action name associated with 'systemctl reboot' – it will show up in your logs (journalctl -f) whenever you run the command, and it'll look like org.freedesktop.systemd.whatever.

Afterwards, if you have polkit v106 or later, rules are defined in JavaScript like in these examples and as documented in man 8 polkit. For example:

/etc/polkit-1/rules.d/allow-website-to-reboot.rules

polkit.addRule(function(action, subject) {
    if (action.id == "org.systemd.foobar") {
        if (subject.user == "www-data") {
            return polkit.Result.YES;
        }
        // if (subject.isInGroup("wheel"))
        // if (subject.system_unit == "apache2.service"))
    }
});
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .