Strange 'sudoers' behavior | ||||||
| posted by Ian Haskin on July 14, 2015, 4:35 p.m. (3 days ago) | ||||||
| ||||||
| Thread Tags: discuss-at-studiosysadmins | ||||||
| ||||||
I'm re-building an internal-only archiving appliance that uses html/php to control LTO 4&6 drives. For testing purposes, apache has been granted full, no password access in /etc/sudoers (apache ALL=(ALL) NOPASSWD: ALL). SELINUX is disabled. This will all be hardened after everything starts working. ---------------------------------------- The weirdness is below: [root@archive bin]# runuser -l apache -c '/bin/mt -f /dev/nst0 status' SCSI 2 tape drive: File number=0, block number=0, partition=0. Tape block size 0 bytes. Density code 0x46 (LTO-4). Soft error count since last status=0 General status bits on (41010000): BOT ONLINE IM_REP_EN [root@archive bin]# runuser -l apache -c '/bin/mt -f /dev/nst1 status' /dev/nst1: Permission denied [root@archive bin]# /bin/mt -f /dev/nst1 status SCSI 2 tape drive: File number=-1, block number=-1, partition=0. Tape block size 0 bytes. Density code 0x0 (default). Soft error count since last status=0 General status bits on (50000): DR_OPEN IM_REP_EN ---------------------------------------- TLDR: If there's a tape in the LTO4 drive, the status is returned correctly from PHP running 'mt -f [dev] status'. "Permission denied" is returned if there is no tape in the LTO4 drive, or the drive is LTO6. The terminal displays the expected behavior. Versions: CentOS 7,3.10.0-229.7.2.el7.x86_64 sudo.x86_64, 1.8.6p7-13.el7 httpd.x86_64, 2.4.6-31.el7.centos php.x86_64, 5.4.16-36.el7_1 mt-st.x86_64, 1.1-13.el7 Any ideas would be greatly appreciated. Ian |