All comments, suggestions etc. are welcome. Please contact me at wf-hp@gmx.net.
sudo from PHP not working with apache 2.4
Probably due to the abolition of safe_mode calling programs with sudo stopped
working. In my case I was calling shell scripts for postfixadmin for creating
and deleting domains and mailboxes.
The error I got in apache's error.log was
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
The interesting thing was that I didn't find anything on google, just some old
hits from years ago. Either the problem is only occurring here or nobody is
using postfixadmin.
Just to make sure the script was still working (like it has been for years) I made a su - www-data and ran the script - success.
Then to rule out problems with the script in connection with sudo I ran the
script from the command line as root with sudo -c vmail SCRIPT -
worked as well. So I was sure it was only a problem between apache, php and
sudo (confirming what I guessed from the above quoted error in the logs).
So I had to find alternative ways to create and delete domains and mailboxes.
First I tried with setting the suid bit on the shell scripts. This was not
successful because - as I found out then - the suid bit is ignored by the shell
for shell scripts.
The next idea was to use suPHP - to no avail because it is not available for anything later than apache 2.2.
So finally the only way was to write a wrapper script and setting the suid bit
there, so the shell script would actually be run by user vmail (as necessary in
my setup, your mileage may vary).
I use one of the four scripts as an example and go through all necessary steps,
for the others only the filenames have to be changed.
Wrapper script vi wrapper-postfixadmin-mailbox-postcreation.c
$ vi wrapper-postfixadmin-mailbox-postcreation.c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
Now you have to set the user ownership of the wrapper file to the user that
needs to create the maildir directories according to your mailserver setup, so
e-mails can be delivered into that maildir directories. In my case this was
user vmail (so before the script was called as sudo -u vmail
... in /etc/postfixadmin/config.inc.php.
The other thing you have to consider is that the user running the webserver
(here on Debian www-data) needs execute permissions on the wrapper script. My
www-data is in the group vmail, so I run (as root)
# chown vmail.vmail wrapper-postfixadmin-mailbox-postcreation
Then we set the suid bit
chmod 4750 wrapper-postfixadmin-mailbox-postcreation
The last thing is to configure the correct program names in
/etc/postfixadmin/config.inc.php
$CONF['mailbox_postcreation_script']='/usr/local/bin/postfixadmin-mailbox-postcreation';
After you have repeated these steps for all four scripts (create/delete domain/mailbox) everything should be working again.