What's the correct way to allow www-root to execute a bash script?

Question

I have a typical LAMP server setup (Ubuntu 16) with www-data:www-data setup for Apache.

I have a script that cannot be run as root but needs to run as www-data. The script recommends running sudo -u www-root -i -- <command> but when I do this I get the error:

This account is currently not available.

How can I safely allow the www-data user to run the command, or how would I allow the current user to execute the command, if that's a better direction?

Note: the script in question is WP-CLI which forces an --allow-root flag, but advises against it because of security reasons.

Answer 1

When you use the -i option of sudo, that means that sudo will attempt to use the assigned login shell and environment for that user. This is going to be a problem for the www-data account since that account typically is going to have a disabled shell.

root@srv:# getent passwd www-data
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

What you need to figure out is if you really need to the environment/shell of that user. You don't need the -i option, and could just run the command without it. This will run the command with the same type of shell as the user executing the command.

So use this instead.

sudo -u www-root <command>

If for some reason you really need to have -i, then you would need to actually give that account a shell (/bin/sh, /bin/bash, or your favorite).