Hi guys,
got a problem with a perl cgi script over here. I need it to run a system command to get the status of a process. Unfortunately the process is owned by a specific user and only this user can get its status. So i tried running the command from the perl cgi with "su", but then i get the following logfile entry:
Anybody knows how to solve this problem? Another command? Another setting somewhere?
Try using sudo if it is available on your system.
Gave that a shot too, but the manpage of sudo says the following:
So perl just grabs the output of sudo:
Unfortunately www-data has no password, since it is not intended to be used as a system account. And apart from that, i don't even know how to submit this password to sudo...
Check the sudoers manpage for the NOPASSWD tag
Thanks for the hint. Sounded like the right way, tried it by adding
to /etc/sudoers. Still the same log entry...
Ok, seems like now the problem shifted a bit. After trying sudo from within perl, the auth-logfile showed this line:
So from root i su'ed to ww-data and tried entering the command directly from within the command line. Result is this in auth.log:
"Kommunikationsfehler" would mean something like communication failure or conversation failure in english.
Now I don't know how to continue at all. I just don't know Linux quite this well. Anybody got me ideas?
Can you interactively connect as www-data?
If yes, from the www-data login what prompt you get when you do "sudo su -"?
That's the capture of me logging in to www-data and performing a sudo command:
That's where the story ends. I never gave a password to www-data, so I don't know what to enter. I also edited /etc/sudoers the way I posted earlier which should keep www-data away from any password hassle, but nothing works as expected...
I don't remember the sudoers file format correctly. Sometimes its simply a syntax issue.
Also if you can afford to do it, set/change the password for www-data and then retry. Do you still get the prompt?
If you add a similar NOPASSWD entry for another user and then do sudo what happens?
You may also want to check sudo documentation for any clues on how it treats accounts which don't have password set.
Well, I would exclude a syntax error, since in the sudoers file is the following example:
I first tried to add this line to just make the www-data user free of anything:
After that didn't work, I activated the example line in the file and made www-data member of the group sudo. That didn't work either...
Next try was setting a password for www-data. Still the password request, but at least now I was able to enter the password I set and got this line:
Next try was to add the same entry for another user and try with that one. Same thing as with www-data. No difference at all.
Last point you proposed is of no use anymore, since it doesn't even work with passwords enabled.
But all your proposals made me do some steps that gave me some clues. 
At one point I got the message posted in the last quote which made me think. The sentence implies, that it's only a problem of sudoing to this specific account. I then took some further reading and thinking and came to the conclusion, that sudo is normally a tool to gain root access, not access to another user. But I found something interesting in the sudoers manpage. Added this line to the sudoers file:
This line specifies that www-data can run any commands as the other user. This took me a step further since from now on I was able to run the command after I entered the password specified earlier on.
After reading the manpage some more, I even found out what had to be done to get rid of the password prompt:
This line in the sudoers file made the deal.
But still, I'm stuck with a last problem. I can run commands as my desired user without entering a password, but the command fails with an errorcode that is somehow related to rights. I somehow got the feeling, that it needs to read some files it doesn't have the right permissions when run from sudo. I also checked by logging into the desired account and running the command and all performs well. Since I have the "ALL" statement in /etc/sudoers, the problem can't be another program that is called, it's got to be some file. Any ideas on how I could find out which file or get sudo grant the vboxuser privileges for everything to www-data?
Thought it would be some groups problem, since the sudoers manpage I read online said something about specifying a group when performing sudo. Turns out this seems to be an old version and this option does not exist anymore. Read the current manpage directly from the command line and it states that sudo performs any command with the groups the target user is in.
So groups can not be the problem and I have got to keep searching...
Wow, that things have to be this complicated! 
But i finally got to where I wanted to be.
The work did a little option "-H" when running the command. This option specifies to set the home directory environment variable to the one of the target user and it seems that somehow the command I wanted to perform relies on the home directory to be set right.
Thanks very much to everybody for the lots of help. You got me lots of ideas I would have never had by myself... 
www-data does not get login rights as default to protect from using it as an ssh login. You would have to look at the man page for "moduser" or use a gui user admin tool to change that.
It is of course doing that for security reasons and changing the setting is unadvisable if your connected to the internet.
Can't you "chown" the executable to the www-data user or chmod 777 [exe] the file so it is runnable by all users, this would be more secure as it would affect only that exe and you evidently want a cgi script to have access to it.