View previous topic :: View next topic |
Author |
Message |
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Thu Jan 09, 2003 10:34 pm Post subject: |
|
|
mr-simon wrote: | if you really must run a script as root, try using runsuid |
runsuid basically uses the same technique as the wrapper above. i'd use the wrapper, because it's more straightforward, and i don't have to search for bugs for more than ten seconds. |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Thu Jan 09, 2003 10:37 pm Post subject: |
|
|
GurliGebis wrote: | Problem there, i used the wrapper to call the script, and the script returns EUID 81. |
please post output of 'ls -l /your/cgi/script' (the wrapper) |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Thu Jan 09, 2003 10:39 pm Post subject: |
|
|
GurliGebis wrote: | I got it working using SUID, but I would like to know, which things apache should have the rights to, to run:
/etc/init.d/iptables restart. |
must be root (uid 0) to use iptables.
Last edited by jukka on Thu Jan 09, 2003 10:39 pm; edited 1 time in total |
|
Back to top |
|
|
mr-simon Guru
Joined: 22 Nov 2002 Posts: 367 Location: Leamington Spa, Warks, UK
|
Posted: Thu Jan 09, 2003 10:39 pm Post subject: |
|
|
jukka wrote: | mr-simon wrote: | if you really must run a script as root, try using runsuid |
runsuid basically uses the same technique as the wrapper above. i'd use the wrapper, because it's more straightforward, and i don't have to search for bugs for more than ten seconds. |
Aye... Either will work. But with runsuid you specify which user can run the script, on a per-script basis... So for example, only apache can run the script rather than any user with shell access. Admittedly with apache, that's fairly academic... But it's still a slight advantage. _________________ "Pokey, are you drunk on love?"
"Yes. Also whiskey. But mostly love... and whiskey." |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Thu Jan 09, 2003 10:41 pm Post subject: |
|
|
-rwsrwxrwx 1 apache apache 5943 Jan 8 04:34 /home/httpd/htdocs/updatefirewall.bin
That should allow apache to do anything with it. _________________ Queen Rocks. |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Thu Jan 09, 2003 10:44 pm Post subject: |
|
|
mr-simon wrote: | Aye... Either will work. But with runsuid you specify which user can run the script, on a per-script basis... So for example, only apache can run the script rather than any user with shell access. Admittedly with apache, that's fairly academic... But it's still a slight advantage. |
if the file has mode 4750, you can chose which users may run it by adding/removing allowed users to/from the group of the file. e.g.: Code: | $ ls -l /cgi-dir/script
-rwsr-x--- 1 root apache 135 Jan 9 03:45 script |
|
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Thu Jan 09, 2003 10:45 pm Post subject: |
|
|
GurliGebis wrote: | -rwsrwxrwx 1 apache apache 5943 Jan 8 04:34 /home/httpd/htdocs/updatefirewall.bin
That should allow apache to do anything with it. |
the file has to be owned by root...
Code: | $ chmod 4750 file
$ chown root:apache file |
Last edited by jukka on Thu Jan 09, 2003 10:47 pm; edited 1 time in total |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Thu Jan 09, 2003 10:46 pm Post subject: |
|
|
Well, since I have giving the file 4777 rights (for now, going to change that when I get i working), the rights shouldn't be the problem.
But for now, I'm using iptables to block port 80 on the external NIC, and I'm the only one using it on the internal NIC, so there is no security problem with that for now. _________________ Queen Rocks. |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Thu Jan 09, 2003 10:51 pm Post subject: |
|
|
hehe, now it works without the sudo.
Thanks, it seemed to help changing to root:apache and 4750. _________________ Queen Rocks. |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Thu Jan 09, 2003 10:52 pm Post subject: |
|
|
GurliGebis wrote: | Well, since I have giving the file 4777 rights (for now, going to change that when I get i working), the rights shouldn't be the problem. |
you don't understand what i'm talking about. even if all permission bits are set, apache is not allowed to use iptables, EXCEPT if the file owner has uid 0.
Quote: | But for now, I'm using iptables to block port 80 on the external NIC, and I'm the only one using it on the internal NIC, so there is no security problem with that for now. |
why don't you just run apache only on the internal interface? there is a listen directive: Listen [IP-address:]port |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Thu Jan 09, 2003 10:56 pm Post subject: |
|
|
GurliGebis wrote: | hehe, now it works without the sudo.
Thanks, it seemed to help changing to root:apache and 4750. |
strange... i only told you about five times... |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Fri Jan 10, 2003 1:19 am Post subject: |
|
|
hehe, I know
btw. while we are talking PHP, is there a way to get the MAC address of the client that connect to the pages NIC?
I trying to make my webpage as userfriendly, and right now, people has to write their mac address on the webpage, to be allowed to access the internet.
It would be easies it the PHP page was able to grab the MAC, so the user didn't had to write the MAC by them self.
Can I do that? _________________ Queen Rocks. |
|
Back to top |
|
|
|