So the problem is that the error comes up in apache.err.
I CAN execute as the user in the shell.
root@ubuntu:~# su www-data
www-data@ubuntu:/root$ sudo /usr/local/bin/metronomectl restart
Stopped
Started
www-data@ubuntu:/root$
but when i try the same command through php
exec('sudo /usr/local/bin/metronomectl restart');
i get the error
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
user www-data IS in sudoers.
I'm at the end of my wits here... Any help is appreciated.
PS. Please ask if you need any extra info.
edit:
root@ubuntu:~# uname -a
Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu:~#
sudoers line:
www-data ALL= NOPASSWD: /usr/local/bin/metronomectl
Fixed by disabling mpm_itk module in apache.
Since mpm-itk has to be able to setuid(), it runs as root (although restricted with POSIX capabilities and seccomp v2 where possible)
It looks like that seccomp v2 support (when on Linux 3.5.0 or newer) is completely breaks the execution of things like sudo or crontab since they use the setuid syscall internally.
A workaround is to not use mpm_itk, or avoid executing such binaries.
Refs: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738131
Instead of disabling mpm-itk outright, you could simply disable its limits on sudo:
<IfModule mpm_itk_module>
# Permit using "sudo"
LimitUIDRange 0 65534
LimitGIDRange 0 65534
</IfModule>