Path: ...!news.misty.com!weretis.net!feeder9.news.weretis.net!news.quux.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: Lew Pitcher <lew.pitcher@digitalfreehold.ca>
Newsgroups: comp.os.linux.misc,comp.sys.raspberry-pi
Subject: Re: Simple way for web to execute root shell script.
Date: Fri, 23 May 2025 14:08:25 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 27
Message-ID: <100pvgp$40ea$1@dont-email.me>
References: <100pphq$2taj$2@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 23 May 2025 16:08:26 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="8d1e79ad81b5ae61c284cc7f636cb112";
	logging-data="131530"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX1/Eyhn7+xZ8yHnHPTfAdkifbuun4RurYyE="
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508
 git://git.gnome.org/pan2)
Cancel-Lock: sha1:oA+qA6ryGj4No4AfQtZSlkfzOPk=
Bytes: 2039

On Fri, 23 May 2025 13:26:34 +0100, The Natural Philosopher wrote:

> I have a shell script that monitors hardware stuff - it needs to run as 
> root and be called by Apache as user www.

As you probably already know, the system won't run shell scripts as setuid,
even if the setuid bit is set. So, the direct route is out.

> 
>   Bookworm linux on a Pi4.
> 
> Its all inside a domestic firewall so security is not a huge issue.
> What is the quickest and simplest solution to this?

My gut reaction would be to have the webserver use sudo(1) (with suitable
limitations set in the /etc/sudoers file) to run the script via a system(3)
call.

If you mistrust sudo(1), then you /could/ write a simple setuid wrapper program
that executes the script after making some rudimentary userid checks
(ruid == www, euid == root, etc. (perhaps check that session leader is apache?))


HTH
-- 
Lew Pitcher
"In Skills We Trust"