0

I have a typical LAMP server setup (Ubuntu 16) with www-data:www-data setup for Apache.

I have a script that cannot be run as root but needs to run as www-data. The script recommends running sudo -u www-root -i -- <command> but when I do this I get the error:

This account is currently not available.

How can I safely allow the www-data user to run the command, or how would I allow the current user to execute the command, if that's a better direction?

Note: the script in question is WP-CLI which forces an --allow-root flag, but advises against it because of security reasons.

Improve this question

1 Answer 1

Reset to default
1

When you use the -i option of sudo, that means that sudo will attempt to use the assigned login shell and environment for that user. This is going to be a problem for the www-data account since that account typically is going to have a disabled shell.

root@srv:# getent passwd www-data www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

What you need to figure out is if you really need to the environment/shell of that user. You don't need the -i option, and could just run the command without it. This will run the command with the same type of shell as the user executing the command.

So use this instead.

sudo -u www-root <command>

If for some reason you really need to have -i, then you would need to actually give that account a shell (/bin/sh, /bin/bash, or your favorite).

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.