Closed basti122303 closed 1 year ago
I like the idea but well, i'm not sure.. Systemd is not a 123s requirement (some people NAS or whatever..) Also, people will have additional commands to do so
you are right, let's check if systemd is present and the unit is active. But not now at the weekend. :-D
Please add a note that when the systemd unit is used, a sudoers file is needed.
Hi, I am doing some testing: The 123solar service respawn but don't write 123solar.pid file. The path is correct, i don't know what's wrong.. So, i can have several 123solar.php instances (like via the interface and from the respawn) Can you help ?
perhaps an permission problem?
have you seen https://github.com/jeanmarc77/123solar/pull/52/commits/2fdbfb0b8fec153523f1f5505fd6c87e655ac57e#diff-8e20415679370934cee69bc0ed071827d4e83241362259f9ddbc715e2f6f93fd you need also edit your sudoers file to check if the service is enabled.
Hi, I have this
# This file should placed in /etc/sudoers.d/ as www-data or something else
# Username (http, www-data,..) should be edited for your needs
http ALL=(root) NOPASSWD: /usr/bin/systemctl restart 123solar.service
http ALL=(root) NOPASSWD: /usr/bin/systemctl stop 123solar.service
http ALL=(root) NOPASSWD: /usr/bin/systemctl start 123solar.service
http ALL=(root) NOPASSWD: /usr/bin/systemctl is-enabled 123solar.service
but this don't work
<?php
exec("sudo systemctl is-enabled 123solar.service",$output);
if (is_dir('/run/systemd/system') && ($output[0] == "enabled")) {
echo 'yeah enabled';
} else {
echo 'nope';
}
?>
any idea ? how to check if sudoers is enable ? Thanks for helping
root@c2:~# sudo -u www-data -s /bin/bash
www-data@c2:/root$ systemctl status 123solar.service
● 123solar.service - 123Solar
Loaded: loaded (/etc/systemd/system/123solar.service; enabled; preset: enabled)
Active: active (running) since Fri 2023-07-07 14:09:08 CEST; 3 days ago
Process: 32543 ExecStartPost=/bin/sh -c systemctl show -p MainPID --value 123solar.service > /home/www/solar/scripts/123solar.pid (code=exited, status=0/SUCCESS)
Main PID: 32542 (php)
Tasks: 1 (limit: 2110)
Memory: 5.5M
CPU: 58min 41.056s
CGroup: /system.slice/123solar.service
└─32542 /usr/bin/php 123solar.php
www-data@c2:/root$
www-data@c2:/root$ sudo systemctl stop 123solar.service
www-data@c2:/root$
www-data@c2:/root$ systemctl status 123solar.service
○ 123solar.service - 123Solar
Loaded: loaded (/etc/systemd/system/123solar.service; enabled; preset: enabled)
Active: inactive (dead) since Tue 2023-07-11 13:10:12 CEST; 12s ago
Duration: 3d 23h 1min 4.614s
Process: 32542 ExecStart=/usr/bin/php 123solar.php (code=killed, signal=TERM)
Process: 32543 ExecStartPost=/bin/sh -c systemctl show -p MainPID --value 123solar.service > /home/www/solar/scripts/123solar.pid (code=exited, status=0/SUCCESS)
Process: 13057 ExecStopPost=/usr/bin/rm -f /home/www/solar/scripts/123solar.pid (code=exited, status=0/SUCCESS)
Main PID: 32542 (code=killed, signal=TERM)
CPU: 58min 41.235s
www-data@c2:/root$
www-data@c2:/root$ sudo systemctl start 123solar.service
www-data@c2:/root$
www-data@c2:/root$ systemctl status 123solar.service
● 123solar.service - 123Solar
Loaded: loaded (/etc/systemd/system/123solar.service; enabled; preset: enabled)
Active: active (running) since Tue 2023-07-11 13:10:35 CEST; 2s ago
Process: 13067 ExecStartPost=/bin/sh -c systemctl show -p MainPID --value 123solar.service > /home/www/solar/scripts/123solar.pid (code=exited, status=0/SUCCESS)
Main PID: 13066 (php)
Tasks: 1 (limit: 2110)
Memory: 5.2M
CPU: 453ms
CGroup: /system.slice/123solar.service
└─13066 /usr/bin/php 123solar.php
www-data@c2:/root$
www-data@c2:/etc/sudoers.d$ ls -la
total 16
drwxr-xr-x 2 root root 4096 Jul 6 22:35 .
drwxr-xr-x 88 root root 4096 Jul 8 05:46 ..
-r--r----- 1 root root 1096 Mar 8 21:17 README
-rw-r--r-- 1 root root 294 Jul 6 16:37 www-data
www-data@c2:/etc/sudoers.d$
www-data@c2:/etc/sudoers.d$ cat www-data
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl restart 123solar.service
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl stop 123solar.service
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl start 123solar.service
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl is-enabled 123solar.service
www-data@c2:/etc/sudoers.d$
I can't sudo systemctl status 123solar.service as http user as it ask for a password
` jeanmarc@zbox scripts]$ sudo ls -la /etc/sudoers.d/ [sudo] Mot de passe de jeanmarc : total 24 drwxr-x--- 2 root root 4096 11 jui 12:35 . drwxr-xr-x 112 root root 12288 11 jui 13:02 .. -r--r----- 1 root root 21 8 jun 2022 10-installer -rw-r--r-- 1 root root 278 11 jui 12:35 http
[jeanmarc@zbox scripts]$ sudo cat /etc/sudoers.d/http http ALL=(root) NOPASSWD: /usr/bin/systemctl restart 123solar.service http ALL=(root) NOPASSWD: /usr/bin/systemctl stop 123solar.service http ALL=(root) NOPASSWD: /usr/bin/systemctl start 123solar.service http ALL=(root) NOPASSWD: /usr/bin/systemctl is-enabled 123solar.service
[jeanmarc@zbox scripts]$ sudo -u http -s /bin/bash [http@zbox scripts]$ systemctl status 123solar.service ● 123solar.service - 123Solar Loaded: loaded (/etc/systemd/system/123solar.service; enabled; preset: dis> Active: active (running) since Tue 2023-07-11 13:45:29 CEST; 13min ago Process: 1525773 ExecStartPost=/bin/sh -c systemctl show -p MainPID --value> Main PID: 1525768 (php) Tasks: 2 (limit: 9298) Memory: 7.0M CPU: 13.258s CGroup: /system.slice/123solar.service ├─1525768 /usr/bin/php 123solar.php └─1591949 aurora -a 2 -c -T -Y3 -l4 -d0 -e /dev/solar
[http@zbox scripts]$ sudo systemctl status 123solar.service
Nous espérons que vous avez reçu de votre administrateur système local les consignes traditionnelles. Généralement, elles se concentrent sur ces trois éléments :
#1) Respectez la vie privée des autres.
#2) Réfléchissez avant d'utiliser le clavier.
#3) De grands pouvoirs confèrent de grandes responsabilités.
Pour des raisons de sécurité, le mot de passe que vous tapez ne sera pas visible.
[sudo] Mot de passe de http : Désolé, essayez de nouveau. [sudo] Mot de passe de http : sudo: 1 saisie de mot de passe incorrecte [http@zbox scripts]$ `
That say, i can request systemctl is-enabled as http without password but it dosen't work from my test script from browser.. i am lost [jeanmarc@zbox scripts]$ sudo -u http -s /bin/bash [sudo] Mot de passe de jeanmarc : [http@zbox scripts]$ sudo systemctl is-enabled 123solar.service enabled
I guess the file is not included.
What does sudo -l
say?
www-data@c2:/etc/sudoers.d$ sudo -l
Matching Defaults entries for www-data on c2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User www-data may run the following commands on c2:
(root) NOPASSWD: /usr/bin/systemctl restart 123solar.service
(root) NOPASSWD: /usr/bin/systemctl stop 123solar.service
(root) NOPASSWD: /usr/bin/systemctl start 123solar.service
(root) NOPASSWD: /usr/bin/systemctl is-enabled 123solar.service
www-data@c2:/etc/sudoers.d$
Is /etc/sudoers.d
included?
My last line in /etc/sudoers
looks like:
# See sudoers(5) for more information on "@include" directives:
@includedir /etc/sudoers.d
Insert the lines in /etc/sudoers
for testing if it still does not work.
root@c2:~# whereis systemctl
systemctl: /usr/bin/systemctl /usr/share/man/man1/systemctl.1.gz
root@c2:~#
http@zbox scripts]$ whereis systemctl systemctl: /usr/bin/systemctl /usr/share/man/man1/systemctl.1.gz [http@zbox scripts]$ sudo -l L'utilisateur http peut utiliser les commandes suivantes sur zbox : (root) NOPASSWD: /usr/bin/systemctl restart 123solar.service (root) NOPASSWD: /usr/bin/systemctl stop 123solar.service (root) NOPASSWD: /usr/bin/systemctl start 123solar.service (root) NOPASSWD: /usr/bin/systemctl is-enabled 123solar.service [jeanmarc@zbox scripts]$ sudo more /etc/sudoers | grep @includedir [sudo] Mot de passe de jeanmarc : @includedir /etc/sudoers.d
Can you get 'enable' from the browser using the test.php file ?
Can you please set LANG=C.UTF-8
to get english messages.
OK lets see that sudo means you can run systemctl is-enabled 123solar.service
but you will be ask for a password?
perhaps you get messages in french?
I Don't know, all my systems run C.UTF-8
as LANG
Have you run the following as root?
systemctl enable 123solar.service
to enable your service unit? It seems that your unit is not enabled.
which test.php? It doesn't matter, PHP only use the command line. So it must fit there
weird, it works from CLI as http user and 123solar.service is enable
[jeanmarc@zbox scripts]$ LANG=C.UTF-8
[jeanmarc@zbox scripts]$ sudo -u http -s /bin/bash
[http@zbox scripts]$ sudo systemctl is-enabled 123solar.service
enabled
[http@zbox scripts]$ systemctl is-enabled 123solar.service
enabled
Now, if i make this test.php, i get 'nope' from browser
<?php
exec("sudo systemctl is-enabled 123solar.service",$output);
if ($output[0] == "enabled") {
echo 'yeah enabled';
} else {
echo 'nope';
}
?>
www-data@c2:/tmp$ sudo systemctl is-enabled 123solar.service
enabled
www-data@c2:/tmp$ cat test.php
<?php
exec("sudo systemctl is-enabled 123solar.service",$output);
if ($output[0] == "enabled") {
echo 'yeah enabled';
} else {
echo 'nope';
}
?>
www-data@c2:/tmp$ php test.php
yeah enabled
www-data@c2:/tmp$ php -v
PHP 8.2.7 (cli) (built: Jun 9 2023 19:37:27) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.2.7, Copyright (c) Zend Technologies
with Zend OPcache v8.2.7, Copyright (c), by Zend Technologies
www-data@c2:/tmp$ cat /etc/issue
Debian GNU/Linux 12 \n \l
modified version:
www-data@c2:/tmp$ php test.php
array(1) {
[0]=>
string(7) "enabled"
}
www-data@c2:/tmp$ cat test.php
<?php
exec("sudo systemctl is-enabled 123solar.service",$output);
var_dump($output);
exit();
?>
www-data@c2:/tmp$
yeah but put test.php in your webserver's directory and request test.php from a browser..
www-data@c2:/home/www/solar$ cat test.php
<?php
exec("sudo systemctl is-enabled 123solar.service",$output);
var_dump($output);
exit();
if ($output[0] == "enabled") {
echo 'yeah enabled';
} else {
echo 'nope';
}
?>
www-data@c2:/home/www/solar$
Can you see some errors in php error.log or journalctl? What's about enbale error logging to browser?
damn.. i got array(0) { }
jui 11 16:05:21 zbox sudo[2188888]: http : command not allowed ; PWD=/srv/http/123solar/scripts ; USER=root ; COMMAND=systemctl is-enabled 123solar.service jui 11 16:05:19 zbox sudo[2188888]: pam_unix(sudo:auth): auth could not identify password for [http] jui 11 16:05:19 zbox sudo[2188888]: pam_unix(sudo:auth): conversation failed jui 11 16:05:19 zbox sudo[2188888]: pam_systemd_home(sudo:auth): Not a user managed by systemd-homed: No home for user http known jui 11 16:04:21 zbox sudo[2183209]: pam_unix(sudo:session): session closed for user root jui 11 16:04:07 zbox sudo[2183209]: pam_unix(sudo:session): session opened for user root(uid=0) by jeanmarc(uid=1000)
www-data@c2:/home/www/solar$ echo $HOME
/var/www
www-data@c2:/home/www/solar$ grep www-data /etc/passwd
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
www-data@c2:/home/www/solar$
Which OS do you use?
[jeanmarc@zbox scripts]$ sudo -u http -s /bin/bash
[sudo] password for jeanmarc:
[http@zbox scripts]$ echo $HOME
/srv/http
[http@zbox scripts]$ grep http /etc/passwd
http:x:33:33::/srv/http:/usr/bin/nologin
[http@zbox scripts]$ uname -a
Linux zbox 6.4.2-3-MANJARO #1 SMP PREEMPT_DYNAMIC Fri Jul 7 19:19:45 UTC 2023 x86_64 GNU/Linux
SE Linux or apparmor? I have no idea anymore
@jeanmarc77 delete system and exec in disable_functions in your php.ini of the Webserver (means allow it) exec means php can execute shell-commands and system means execute + Output
Thanks for the tips but disable_functions is empty in my php.ini.. still wondering what's wrong here
does the webserver (error)log mention something? or alternatively set temporarily display_errors 1 in your php.ini? Pretty sure its something webserver/php-related
@falkiy i got this from systemctl status php-fpm
jui 11 17:47:27 zbox sudo[2671384]: http : command not allowed ; PWD=/srv/http/123solar/scripts ; USER=root ; COMMAND=systemctl is-enabled 123solar.service
nothing much into nginx error log
for testing, in the sudoers
http ALL=(ALL) NOPASSWD: ALL
any change? sound like some wired sudo-problem/stuff
btw: would you mind to test with some fresh Debian-Container or something? We've no idea how your Machine ist configured exactly und Manjaro is absolutly not invented for Servers purposes
Other Idea @basti122303 : Let php only touch the pid and Trigger systemd path unit / incrond to stop / start the service. Wouldnt be less wired, but would prevent the sudo-stuff
I have done some changes. See https://github.com/jeanmarc77/123solar/pull/52
systemctl is-enabled
can run without sudo. I have test it.
The next strace think is, that the sudo file does not work as expected.
You need to add http ALL=(ALL) NOPASSWD: ALL
to the sudoers file, else you get http : command not allowed ; PWD=/srv/http/123solar/admin ; USER=root ; COMMAND=systemctl is-enabled 123solar.service
allow the http user to run any command is not what you want.
Please ask the arch / majaro mailing list for more infos about that. For me it works on debian, sorry I have no idea anymore.
I can now run is-enabled, but still got
jui 12 16:38:47 zbox sudo[290969]: pam_systemd_home(sudo:auth): Not a user managed by systemd-homed: No home for user http known jui 12 16:38:47 zbox sudo[290969]: pam_unix(sudo:auth): conversation failed jui 12 16:38:47 zbox sudo[290969]: pam_unix(sudo:auth): auth could not identify password for [http] jui 12 16:38:50 zbox sudo[290969]: http : command not allowed ; PWD=/srv/http/123solar/admin ; USER=root ; COMMAND=systemctl stop 123solar.service
I don't have much time to look at that for now, thanks for the tips @basti122303 ,
The errors of systemd-homed not relevant here.
This is the problem:
jui 12 16:38:50 zbox sudo[290969]: http : command not allowed ; PWD=/srv/http/123solar/admin ; USER=root ; COMMAND=systemctl stop 123solar.service
I wrote about that above.
this only for non debug mode, I never used it.
create a sudoers file like:
# /etc/sudoers.d/www-data
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl restart 123solar.service
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl stop 123solar.service
www-data ALL=(root) NOPASSWD: /usr/bin/systemctl start 123solar.service