Get lighttpd to execute sudo in a perl script

Help and Support
1

Hi there,

I am trying to get lighttpd to serve a perl script which uses a command requiring root privs.
The script contains this line:

print ´sudo systemcl start hyperion´ or die "went wrong';

When i run it as “osmc” within the shell with “perl test.pl”, it works fine. When i call the script in the browser, it generates an internal server error (500). when I do something normal like

print "foo"

in the script, everything works fine.
I made the script executable and added this to /etc/sudoers:

User_Alias LIGHTTPD = www-data
Cmnd_Alias HYPERION = /sbin/systemctl,/var/www/html/test.pl
LIGHTTPD ALL = (ALL) NOPASSWD: HYPERION

…but it still won’t work. /var/log/lighttpd/error.log contains no information about the issue.

Any ideas how to solve this?

2

I’ve moved this to Help and Support.

If that’s a copy/paste, then it should be systemctl, not systemcl.

Is there a specific reason that you didn’t simply add www-data to group sudo, which would be the normal method?

3

Hi and thanks four your reply!

If that’s a copy/paste, then it should be systemctl, not systemcl.

No it’s not, it was a typo :smiley:

Yes indeed, the reason is that I am a linux-noobie :wink: and adding the mentioned code to /etc/sudoers was the only useful information I’ve found by googling “perl exec sudo cgi”.

adding www-data to group sudo would mean that the webserver could sudo ANY command - right?
Wouldn’t this be pretty insecure? As far as i understood, the mentioned code allows www-data only to sudo the perl script and /sbin/systemctl

But thanks for your tip, I will try adding www-data to sudo group to ensure that the problem is indeed based on the priviliege level and nothing is messed up in the lighthttpd config.

4

That’s true, and a reasonable approach to take, though if the web server isn’t exposed to the outside world, you can probably take a few liberties…

Another observation. systemctl is at /bin/systemctl, not /sbin/systemctl. That’ll certainly cause it to fail.