I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
If you mistrust sudo(1), then you /could/ write a simple setuid wrapper program
that executes the script after making some rudimentary userid checks
(ruid == www, euid == root, etc. (perhaps check that session leader is apache?))
On 5/23/25 13:26, The Natural Philosopher wrote:
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
Dunno, change script ownership to root and use setuid, sudo chmod u+s.
It used to work, nowadays who knows? It did used to provide security holes.
On 5/23/25 13:26, The Natural Philosopher wrote:
I have a shell script that monitors hardware stuff - it needs to run
as root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
Dunno, change script ownership to root and use setuid, sudo chmod u+s.
It used to work, nowadays who knows? It did used to provide security holes.
<https://askubuntu.com/questions/1391359/how-to-let-a-non-privelegde-user-run-a-program-requiring-root-permsiossions-wit>
On Fri, 23 May 2025 13:26:34 +0100, The Natural Philosopher wrote:
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
As you probably already know, the system won't run shell scripts as setuid, even if the setuid bit is set. So, the direct route is out.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
My gut reaction would be to have the webserver use sudo(1) (with suitable limitations set in the /etc/sudoers file) to run the script via a system(3) call.
If you mistrust sudo(1), then you /could/ write a simple setuid wrapper program
that executes the script after making some rudimentary userid checks
(ruid == www, euid == root, etc. (perhaps check that session leader is apache?))
HTH
On Fri, 23 May 2025 14:08:25 +0000, Lew Pitcher wrote:
[snip]
If you mistrust sudo(1), then you /could/ write a simple setuid wrapper program
that executes the script after making some rudimentary userid checks
(ruid == www, euid == root, etc. (perhaps check that session leader is apache?))
Nope, not session leader.
But process group leader works.
On 2025-05-23 8:26 a.m., The Natural Philosopher wrote:
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
Use sudo to call the script. First, drop a file into /etc/sudoers.d/ containing something like the following (untested):
www ALL = (root) NOPASSWD: /path/to/script
That should allow Apache running as www to call 'sudo /path/script' to
run 'script' as root with no password needed. But at the same time, the
www user won't be able to run anything else as root (nor any other user).
On Fri, 23 May 2025 13:51:57 +0100, Pancho wrote:
On 5/23/25 13:26, The Natural Philosopher wrote:
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
Dunno, change script ownership to root and use setuid, sudo chmod u+s.
It used to work, nowadays who knows? It did used to provide security holes.
FWIW, the Linux kernel does not honour the setuid bit when running hashbang scripts.
On 23/05/2025 15:08, Lew Pitcher wrote:
On Fri, 23 May 2025 13:26:34 +0100, The Natural Philosopher wrote:cant one execute it direct from apache?
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
As you probably already know, the system won't run shell scripts as setuid, >> even if the setuid bit is set. So, the direct route is out.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
My gut reaction would be to have the webserver use sudo(1) (with suitable
limitations set in the /etc/sudoers file) to run the script via a system(3) >> call.
The Natural Philosopher <tnp@invalid.invalid> wrote:
On 23/05/2025 15:08, Lew Pitcher wrote:
On Fri, 23 May 2025 13:26:34 +0100, The Natural Philosopher wrote:cant one execute it direct from apache?
I have a shell script that monitors hardware stuff - it needs to run as >>>> root and be called by Apache as user www.
As you probably already know, the system won't run shell scripts as setuid, >>> even if the setuid bit is set. So, the direct route is out.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
My gut reaction would be to have the webserver use sudo(1) (with suitable >>> limitations set in the /etc/sudoers file) to run the script via a system(3) >>> call.
If it's a shell script then it won't run as root even if it is suid
root.
I'd go the sudo way, but I'm not neutral about that¹.
Greetings
Marc
¹ I maintain sudo in Debian
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
I have a shell script that monitors hardware stuff - it needs to run
as root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
In comp.os.linux.misc The Natural Philosopher <tnp@invalid.invalid> wrote:
I have a shell script that monitors hardware stuff - it needs to run
as root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
You've been given lots of options already. But not this one.
What "hardware stuff" is it monitoring? If it is reading files in
/proc and/or /sys to obtain its "data" then another alternative would
be to setup /proc and /sys to be mounted group or world readable (or to
reset permissions on the necessary files via a rc.local boot script to
group or world readable). That would let the script "monitor" without
being root. Then you could even convert the script into a CGI script
(which Apache is more than able to execute, and doing so for minimal
text output involves the script outputting a handful of HTTP headers
before the monitor data) and get your "monitoring data" back via
Apache.
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
¹ I maintain sudo in Debian
On 23/05/2025 19:44, Rich wrote:
In comp.os.linux.misc The Natural Philosopher <tnp@invalid.invalid> wrote: >>> I have a shell script that monitors hardware stuff - it needs to runSadly the data is not available in /sys or /proc AFAIK.
as root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
You've been given lots of options already. But not this one.
What "hardware stuff" is it monitoring? If it is reading files in
/proc and/or /sys to obtain its "data" then another alternative would
be to setup /proc and /sys to be mounted group or world readable (or to
reset permissions on the necessary files via a rc.local boot script to
group or world readable). That would let the script "monitor" without
being root. Then you could even convert the script into a CGI script
(which Apache is more than able to execute, and doing so for minimal
text output involves the script outputting a handful of HTTP headers
before the monitor data) and get your "monitoring data" back via
Apache.
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
Sadly the data is not available in /sys or /proc AFAIK.[snip]
I wanted information on the temperature and data volumes on the SSDs and
the temperature of the ARM core. Plus data on the amount of data being transported over the ethernet interface.
The tools that came to hand were vgcencmd, smartctl, df and ip. Plus
some sedery grepery and awkery
The script is (if you are interested)
#!/bin/bash
smartctl -a /dev/sda | grep Celsius | awk '{print $10}'
smartctl -a /dev/sdb | grep Celsius | awk '{print $10}'
vcgencmd measure_temp | sed -e 's/temp=//' | sed -e "s/'C//"
ip -s link show dev eth0 | awk 'FNR == 4 {print $1}'
ip -s link show dev eth0 | awk 'FNR == 6 {print $1}'
df -h | grep /dev/sd
The intention is to poll that using AJAX and parse it into the position
of needles on dials in a web page.
On 5/23/25 8:26 AM, The Natural Philosopher wrote:
I have a shell script that monitors hardware stuff - it needs to run
as root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
Ummm ... just sayin' ... do you REALLY want/need that ???
Seems like a recipe for sure disaster.
In comp.os.linux.misc The Natural Philosopher <tnp@invalid.invalid> wrote:
On 23/05/2025 19:44, Rich wrote:
In comp.os.linux.misc The Natural Philosopher <tnp@invalid.invalid> wrote: >>>> I have a shell script that monitors hardware stuff - it needs to runSadly the data is not available in /sys or /proc AFAIK.
as root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
You've been given lots of options already. But not this one.
What "hardware stuff" is it monitoring? If it is reading files in
/proc and/or /sys to obtain its "data" then another alternative would
be to setup /proc and /sys to be mounted group or world readable (or to
reset permissions on the necessary files via a rc.local boot script to
group or world readable). That would let the script "monitor" without
being root. Then you could even convert the script into a CGI script
(which Apache is more than able to execute, and doing so for minimal
text output involves the script outputting a handful of HTTP headers
before the monitor data) and get your "monitoring data" back via
Apache.
Yeah, at least the smart data is not (as far as I am aware) available
via /proc or /sys.
Another option. You could setup a cronjob, as root, to run your script
on some periodic basis (once per minute, every 10 minutes, etc.) and
save the results into a file that is readable via the 'www' user (or to
save the info directly into a file in the Apache htdocs hierarchy from
where you want to retreive it).
Then you can 'pull' the data via Apache from that file.
You'd have data that is up to date as of the last run of the script,
but you would not have the "exactly now it is Y" aspect (unless your
AJAX pulled just after a cronjob run *and* you were watching the
'meters' at that very moment).
You could even include a "date" as the first line, so you could see if something got hung by the time value being too far in the past.
On 24/05/2025 06:43, c186282 wrote:
On 5/23/25 8:26 AM, The Natural Philosopher wrote:
I have a shell script that monitors hardware stuff - it needs toUmmm ... just sayin' ... do you REALLY want/need that ???
run as root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
Seems like a recipe for sure disaster.
Why on earth would you say that?
The Natural Philosopher <tnp@invalid.invalid> writes:
On 24/05/2025 06:43, c186282 wrote:
On 5/23/25 8:26 AM, The Natural Philosopher wrote:
I have a shell script that monitors hardware stuff - it needs toUmmm ... just sayin' ... do you REALLY want/need that ???
run as root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
Seems like a recipe for sure disaster.
Why on earth would you say that?
Standard Usenet style when you don’t know how to solve someone’s problem (or didn’t understand it) is to argue with their requirements instead.
On 23/05/2025 19:44, Rich wrote:
In comp.os.linux.misc The Natural Philosopher <tnp@invalid.invalid>Sadly the data is not available in /sys or /proc AFAIK.
wrote:
I have a shell script that monitors hardware stuff - it needs to run
as root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
You've been given lots of options already. But not this one.
What "hardware stuff" is it monitoring? If it is reading files in
/proc and/or /sys to obtain its "data" then another alternative would
be to setup /proc and /sys to be mounted group or world readable (or to
reset permissions on the necessary files via a rc.local boot script to
group or world readable). That would let the script "monitor" without
being root. Then you could even convert the script into a CGI script
(which Apache is more than able to execute, and doing so for minimal
text output involves the script outputting a handful of HTTP headers
before the monitor data) and get your "monitoring data" back via
Apache.
I wanted information on the temperature and data volumes on the SSDs and
the temperature of the ARM core. Plus data on the amount of data being transported over the ethernet interface.
The tools that came to hand were vgcencmd, smartctl, df and ip. Plus
some sedery grepery and awkery
The script is (if you are interested)
#!/bin/bash
smartctl -a /dev/sda | grep Celsius | awk '{print $10}'
smartctl -a /dev/sdb | grep Celsius | awk '{print $10}'
vcgencmd measure_temp | sed -e 's/temp=//' | sed -e "s/'C//"
ip -s link show dev eth0 | awk 'FNR == 4 {print $1}'
ip -s link show dev eth0 | awk 'FNR == 6 {print $1}'
df -h | grep /dev/sd
A typical output is
40
44
57.4
220513467
17430583
/dev/sda2 110G 6.1G 98G 6% /
/dev/sda1 510M 66M 445M 13% /boot/firmware
/dev/sda3 366G 126G 222G 37% /home
/dev/sdb1 219G 130G 78G 63% /backup
/dev/sdb2 1.6T 1.3T 297G 81% /home/Media
/dev/sda5 990G 559G 381G 60% /home/Media/Unedited
/dev/sda6 366G 26G 322G 8% /backup2
The intention is to poll that using AJAX and parse it into the position
of needles on dials in a web page.
I used to do this via SNMP, but less and less is available with SNMP and
its clunky as shit,
If any of that is in /proc or /sys. I would like to hear about it.
None of this is precision stuff: I am building an ARM based NAS and I
just need a quick and easy way to keep an eye on it to see if it gets to
hot or too full as I develop stuff
On 24/05/2025 06:43, c186282 wrote:
On 5/23/25 8:26 AM, The Natural Philosopher wrote:
I have a shell script that monitors hardware stuff - it needs to run
as root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
Ummm ... just sayin' ... do you REALLY want/need that ???
Seems like a recipe for sure disaster.
Why on earth would you say that?
If I told you that you didnt need an engine start switch inside your
car because it was a security hazard, you would be puzzled, too,.
Standard Usenet style when you don't know how to solve someone's problem
(or didn't understand it) is to argue with their requirements instead.
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
Bookworm linux on a Pi4.
Its all inside a domestic firewall so security is not a huge issue.
What is the quickest and simplest solution to this?
Richard Kettlewell <invalid@invalid.invalid> wrote:
Standard Usenet style when you don't know how to solve someone's
problem (or didn't understand it) is to argue with their requirements
instead.
To be fair, some questions really do provoke thoughts of "The only
reason you'd try to solve it that way is because of faulty requirement expectations."
if you don't know how to run things as root, maybe you should not do that
I have a vague memory of an "shc" package which describes itself
as a shell script compiler. In reality it isn't but it does
package up the script in a directly executable format (i.e. ELF)
and pass it to the shell at runtime. That would allow a SetUID
flag to work.
The Natural Philosopher <tnp@invalid.invalid> writes:
Sadly the data is not available in /sys or /proc AFAIK.
I wanted information on the temperature and data volumes on the SSDs
and the temperature of the ARM core.
I think lm-sensors. I have a compute module 3+ variant running but same
SoC anyways and lm-sensors gives this:
cpu_thermal-virtual-0
Adapter: Virtual device
temp1: +52.1°C
I don't have drives other than the eMMC on the Pi but on my router for example lm-sensors gives:
drivetemp-scsi-0-0
Adapter: SCSI adapter
temp1: +50.0°C
That's for an mSATA SSD.
Plus data on the amount of data being transported over the ethernet
interface.
/sys/class/net/eth0/statistics
Sadly the data is not available in /sys or /proc AFAIK.
I wanted information on the temperature and data volumes on the SSDs
and the temperature of the ARM core.
Plus data on the amount of data being transported over the ethernet interface.
Sadly USB attached SSDS do not show up...
Sadly USB attached SSDS do not show up...
The Natural Philosopher <tnp@invalid.invalid> writes:
Sadly USB attached SSDS do not show up...
I suppose it needs support from the drives and whatever USB-ATA
translator is in use. Seems a little odd though that smartctl works and
this doesn't.
The kernel driver for this is called drivetemp so it's worth checking if
it's loaded or if manually loading that driver changes anything.
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
Dnia 23.05.2025 The Natural Philosopher <tnp@invalid.invalid> napisał/a:
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
One can consider communicating via files. Apache writes a file
in a certain location (perhaps with the arguments for the script),
script run (as root) is then triggered via inotify mechanism (one can utilise i.e. incron),
the results are written to another file, readable by Apache.
On 26/05/2025 18:24, Dominik Ałaszewski wrote:
One can consider communicating via files. Apache writes a file in aWhy make stuff more complicated than it has to be?
certain location (perhaps with the arguments for the script),
script run (as root) is then triggered via inotify mechanism (one can
utilise i.e. incron),
the results are written to another file, readable by Apache.
Dnia 23.05.2025 The Natural Philosopher <tnp@invalid.invalid> napisał/a:
I have a shell script that monitors hardware stuff - it needs to run as
root and be called by Apache as user www.
One can consider communicating via files. Apache writes a file
in a certain location (perhaps with the arguments for the script),
script run (as root) is then triggered via inotify mechanism (one can utilise i.e. incron),
the results are written to another file, readable by Apache.
The Natural Philosopher <tnp@invalid.invalid> writes:
Sadly USB attached SSDS do not show up...
I suppose it needs support from the drives and whatever USB-ATA
translator is in use. Seems a little odd though that smartctl works and
this doesn't.
On 26/05/2025 09:27, Anssi Saari wrote:
The Natural Philosopher <tnp@invalid.invalid> writes:
Sadly USB attached SSDS do not show up...
I suppose it needs support from the drives and whatever USB-ATA
translator is in use. Seems a little odd though that smartctl works and
this doesn't.
There are parameters you can supply which may allow it to work. Do a
lsusb to get the adapter name and search for it and smartctl. If it's a
must have get another adapter which is known to work with smartctl.
On 27/05/2025 21:44, druck wrote:
It does work with smartcl, Not with lm-sensors
On Sun, 25 May 2025 08:52:46 +0100, The Natural Philosopher wrote:
Sadly USB attached SSDS do not show up...
Try smartctl(8) for them.
On 28/05/2025 08:58, The Natural Philosopher wrote:
On 27/05/2025 21:44, druck wrote:
It does work with smartcl, Not with lm-sensors
Sorry, picked up on the wrong part of the post.
lm-sensors wont work with external USB drives as it only knows about
things connected to the internal busses of a machine such as acpi and
i2c, and the Pi only had the latter.
On Sun, 25 May 2025 09:42:32 -0000 (UTC), Lawrence D'Oliveiro <ldo@nz.invalid> wrote in <100uom7$1aabi$1@dont-email.me>:
On Sun, 25 May 2025 08:52:46 +0100, The Natural Philosopher wrote:
Sadly USB attached SSDS do not show up...
Try smartctl(8) for them.
Good call, but may need to specify a bridge for an external SSD,
e.g.:
On 28/05/2025 08:58, The Natural Philosopher wrote:
On 27/05/2025 21:44, druck wrote:
It does work with smartcl, Not with lm-sensors
Sorry, picked up on the wrong part of the post.
lm-sensors wont work with external USB drives as it only knows about
things connected to the internal busses of a machine such as acpi and
i2c, and the Pi only had the latter.
If you really want to measure the disc's temperature using lm-sensors,
you could attach a i2c temperature sensor to it and add a device tree
entry so it is detected. See:- https://www.bergzand.net/the-raspberry-pi-a-temperature-sensor-and-the-device-tree.html
But unless you are using the external drive somewhere with an incredibly
high ambient temperature, it's very unlikely to overheat. The only hard
drive I had problems with was inside a DVR in a rack of other equipment
in an enclosed space. I had to tweak the fan configuration to keep it
under it's alert temperature of 55C.
---druck
druck <news@druck.org.uk> writes:
On 28/05/2025 08:58, The Natural Philosopher wrote:
On 27/05/2025 21:44, druck wrote:
It does work with smartcl, Not with lm-sensors
Sorry, picked up on the wrong part of the post.
lm-sensors wont work with external USB drives as it only knows about
things connected to the internal busses of a machine such as acpi and
i2c, and the Pi only had the latter.
No. See for example here: https://www.kernel.org/doc/html/latest/hwmon/drivetemp.html, the
drivetemp driver uses ATA commands to read temperatures from drives or alternatively, using SMART attributes. lm-sensors either uses the
drivetemp kernel driver or just reads from /sys/class/hwmon.
Which is why I said before, I find it odd if smartctl works and
drivetemp does not, although AFAiK no one has actually tried that in
this thread.
Unfortunately I don't have any recent USB HDs around. I do have an
USB-SSD case but don't have a spare SSD to put into it right now.
The drives in question will be in an enclosure with the fanless Pi 4,
and so far have peaked at over 60°C when they are rated only up to
70°C ambient.
In comp.os.linux.misc The Natural Philosopher <tnp@invalid.invalid> wrote:
The drives in question will be in an enclosure with the fanless Pi 4,
and so far have peaked at over 60°C when they are rated only up to
70°C ambient.
Take note of the fact that drives (I'm assuming by 'drives' you mean 'spinning rust') often have much longer lifetimes if they are kept
cool.
You may want to find a way to rig a fan to provide some airflow over
those drives (it is amazing how much difference even a small airflow
will make).
For noise abatement on the fan, one of the easiest ways to reduce fan
noise is to run a 12v fan on 7v. Most of them will start and run (at a
much lower RPM) on 7v. And you get 7v by connecting the fan positive
to the PSU 12v rail and the fan negative to the 5v rail (if you have 'spinning rust' drives then you have 12v and 5v supply rails for the
drives).
How does one 'use' drivetemp?
The Natural Philosopher <tnp@invalid.invalid> writes:
How does one 'use' drivetemp?
Load it with modprobe and data appears in /sys/class/hwmon somewhere. It doesn't seem to autoload always, I don't know what the trigger is. For example, on my router it's loaded, on my little pizza box it's not.
For example, on the pizza box, /sys/class/hwmon/hwmon2/temp1_input
appears after loading drivetemp and it contains 36000 which means 36
degrees C.
I have a shell script that monitors hardware stuff - it needs to run
as root and be called by Apache as user www.
The Natural Philosopher <tnp@invalid.invalid> writes:
I have a shell script that monitors hardware stuff - it needs to run
as root and be called by Apache as user www.
doas /path/to/shell.sh
or sudo.
Things are going to be a bit more complicated if you're in chroot.
A small C utility that wraps exec and provides suid should be ok.
Another way is to call the script form cron and place the output
in some location where apache can get it.
Best regards,
Chris Narkiewicz
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 491 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 144:20:23 |
| Calls: | 9,694 |
| Calls today: | 4 |
| Files: | 13,730 |
| Messages: | 6,178,438 |