/etc/sudoers entry
Issue #188
resolved
Piler webgui pops up the following message after applying newly created archive/retention rules
**add the following to /etc/sudoers: "www-data all=nopassword ......" ( CentOS it would be apache) .....
Is this entry necessary ? My setup appears to work without that entry. And if its is, wouldnt it be advisable to restrict apache sudo rights to maybe a few directories (which ones ?), instead of giving it full system access for security reasons ?
Clemo
Comments (9)
-
repo owner
-
reporter
I think I was making a mistake. I was restarting Piler everytime I added a Rule. But now after adding the sudo entry in CentOS, the webgui is still popping out the same message to add the sudo entry. I notice Apache is not reloading Piler when I check the logs, but the entry is made in the Webgui. This is my sudo entry:
apache ALL=NOPASSWD: /etc/init.d/piler reload
I also tried:
%apache ALL=NOPASSWD: /etc/init.d/piler reload
And finally tried (as a test):
apache ALL=(ALL) NOPASSWD:ALL
But still Piler not reloaded.
Clemo
-
repo owner
Set the following in config-site.php, and try again:
$config['RELOAD_COMMAND'] = 'sudo -n /etc/init.d/piler reload';
By default the gui searches for /etc/init.d/rc.piler and not /etc/init.d/piler
-
reporter
I have added this line in config-site.php, but still not effecting.
$config['RELOAD_COMMAND'] = 'sudo -n /etc/init.d/piler reload';
The config.php already had that entry, since that is how I had initially created the init.d entry. Am even restating the apache to try and effect it, but nothing yet. I work on the system as a sudo user, and am sure sudo itself has no problem.
-
repo owner
Can you su to apache, and run manually sudo -n /etc/init.d/piler reload?
If it just won't work, then try using pilerreload in contrib/reload. It's a small binary, designed to send a HUP signal to the process id found in piler.pid.
-
reporter
Issue now resolved. In case you encounter a future user requesting assistance on this issue, Its a Centos /etc/sudoer settings. CentOS and most likely Redhat variants enable this entry -
Defaults requiretty
So one needs to comment it. I noticed this in apache logs which reports this message;
sudo: sorry, you must have a tty to run sudo
After disabling the setting, Apache successfully reloads Piler.
Thanks for being so helpful.
Regards,
Clemo
-
repo owner
- changed status to resolved
OK, I'm glad, and thanks for the hint, I'll add it to a centos specific section.
-
reporter
The entry is in /etc/sudoers.
We can even leave the default as it is (for security) but exclude Apache only from tty requirement. Thus we exclude only apache user and group as follows:
Defaults requiretty
Defaults:%apache !requiretty
Defaults:apache !requiretty***
-
repo owner
Thanks for the clarification, I've updated the installation docs.
- Log in to comment
I'm not sure how your setup works without it. In order to re-read the retention and/or archiving policies, the piler daemon needs a HUP signal. The apache user can't do it on its own, that's why a sudo entry is required to execute a single command as root. The given sudo entry restricts the webserver to a single command.