I need to know if allowing www-data to execute sudo commands without a password is safe?
I am using it to execute terminal commands from a php script but this isn't suitable for our live production servers?
here is the sudoers file.
www-data ALL=(ALL) NOPASSWD:ALL
here is an example of a command I'm trying to run to an external remote server. I'm using ssh2_exec to run this.
sudo service apache2 status;sudo service mysql status;sudo service mongod status
If not, is there a better way around being able to do this?
This essentially makes your web server a prime vector for attacks on a site. If someone can find a way to upload any sort of code, or there's ever a point in future where you shell_exec with a user variable string, people can execute privileged arbitrary code on your site.
This is not suitable for publicly accessible servers.
A better way to do this would be to write a program on your system which runs in crontab and prints these values to a flat file, then open that file in PHP.
e.g
#!/bin/bash
service apache2 status
service mysql status
service mongod status
Add this to root user cron with sudo crontab -e
* * * * * /path/to/script > /home/my-user/file
You might need to also make the file global readable (after it's created); it's just a status so probably safe:
sudo chmod 777 /home/my-user/file
Then in PHP
<?php
$status = file_get_contents('/home/my-user/file');
echo $status;