I spent one hour to investigate why I couldn’t execute a command with sudo, from a php script, although the user was authorized for that command within a sudoer file… The problem was a dot in the name of the sudoer file.
Click to Read More
My php script is part of a package I have created to run on my Synology (DSM 7.x).. It is running under an account named like my package: MODS_Package7.x
That php script executes the following code:
$COMMAND = “sudo /usr/syno/bin/synopkg start ‘$PACKAGE’ 2>&1”;
exec($COMMAND, $output, $result);
My sudoer file was named /etc/sudoers.d/MODS_Package7.x and contained:
MODS_Package7.x ALL=(ALL) NOPASSWD: /usr/syno/bin/synopkg
It didn’t work until I removed the “.”, renaming the sudoer file into /etc/sudoers.d/MODS_Package7_x
How stupid, but it’s indeed mentioned in the documentation:
sudo will read each file in /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’ character to avoid causing problems with package manager or editor temporary/backup files.
The /etc/sudoers.d/README file does not exist on Synology, but can be found on other Linux
# # As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on # installation of the package now includes the directive: # # #includedir /etc/sudoers.d # # This will cause sudo to read and parse any files in the /etc/sudoers.d # directory that do not end in '~' or contain a '.' character. # # Note that there must be at least one file in the sudoers.d directory (this # one will do), and all files in this directory should be mode 0440. # # Note also, that because sudoers contents can vary widely, no attempt is # made to add this directive to existing sudoers files on upgrade. Feel free # to add the above directive to the end of your /etc/sudoers file to enable # this functionality for existing installations if you wish! # # Finally, please note that using the visudo command is the recommended way # to update sudoers content, since it protects against many failure modes. # See the man page for visudo for more information. #
Leave a Reply