Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
PHP page running a bash script.
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Thu Jan 09, 2003 10:34 pm    Post subject: Reply with quote

mr-simon wrote:
if you really must run a script as root, try using runsuid

runsuid basically uses the same technique as the wrapper above. i'd use the wrapper, because it's more straightforward, and i don't have to search for bugs for more than ten seconds.
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Thu Jan 09, 2003 10:37 pm    Post subject: Reply with quote

GurliGebis wrote:
Problem there, i used the wrapper to call the script, and the script returns EUID 81.

please post output of 'ls -l /your/cgi/script' (the wrapper)
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Thu Jan 09, 2003 10:39 pm    Post subject: Reply with quote

GurliGebis wrote:
I got it working using SUID, but I would like to know, which things apache should have the rights to, to run:

/etc/init.d/iptables restart.

must be root (uid 0) to use iptables.


Last edited by jukka on Thu Jan 09, 2003 10:39 pm; edited 1 time in total
Back to top
View user's profile Send private message
mr-simon
Guru
Guru


Joined: 22 Nov 2002
Posts: 367
Location: Leamington Spa, Warks, UK

PostPosted: Thu Jan 09, 2003 10:39 pm    Post subject: Reply with quote

jukka wrote:
mr-simon wrote:
if you really must run a script as root, try using runsuid

runsuid basically uses the same technique as the wrapper above. i'd use the wrapper, because it's more straightforward, and i don't have to search for bugs for more than ten seconds.

Aye... Either will work. But with runsuid you specify which user can run the script, on a per-script basis... So for example, only apache can run the script rather than any user with shell access. Admittedly with apache, that's fairly academic... But it's still a slight advantage.
_________________
"Pokey, are you drunk on love?"
"Yes. Also whiskey. But mostly love... and whiskey."
Back to top
View user's profile Send private message
GurliGebis
Retired Dev
Retired Dev


Joined: 08 Aug 2002
Posts: 509

PostPosted: Thu Jan 09, 2003 10:41 pm    Post subject: Reply with quote

-rwsrwxrwx 1 apache apache 5943 Jan 8 04:34 /home/httpd/htdocs/updatefirewall.bin

That should allow apache to do anything with it.
_________________
Queen Rocks.
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Thu Jan 09, 2003 10:44 pm    Post subject: Reply with quote

mr-simon wrote:
Aye... Either will work. But with runsuid you specify which user can run the script, on a per-script basis... So for example, only apache can run the script rather than any user with shell access. Admittedly with apache, that's fairly academic... But it's still a slight advantage.

if the file has mode 4750, you can chose which users may run it by adding/removing allowed users to/from the group of the file. e.g.:
Code:
$ ls -l /cgi-dir/script
-rwsr-x---    1 root    apache         135 Jan  9 03:45 script
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Thu Jan 09, 2003 10:45 pm    Post subject: Reply with quote

GurliGebis wrote:
-rwsrwxrwx 1 apache apache 5943 Jan 8 04:34 /home/httpd/htdocs/updatefirewall.bin

That should allow apache to do anything with it.

the file has to be owned by root...
Code:
$ chmod 4750 file
$ chown root:apache file


Last edited by jukka on Thu Jan 09, 2003 10:47 pm; edited 1 time in total
Back to top
View user's profile Send private message
GurliGebis
Retired Dev
Retired Dev


Joined: 08 Aug 2002
Posts: 509

PostPosted: Thu Jan 09, 2003 10:46 pm    Post subject: Reply with quote

Well, since I have giving the file 4777 rights (for now, going to change that when I get i working), the rights shouldn't be the problem.

But for now, I'm using iptables to block port 80 on the external NIC, and I'm the only one using it on the internal NIC, so there is no security problem with that for now.
_________________
Queen Rocks.
Back to top
View user's profile Send private message
GurliGebis
Retired Dev
Retired Dev


Joined: 08 Aug 2002
Posts: 509

PostPosted: Thu Jan 09, 2003 10:51 pm    Post subject: Reply with quote

hehe, now it works without the sudo.
Thanks, it seemed to help changing to root:apache and 4750.
_________________
Queen Rocks.
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Thu Jan 09, 2003 10:52 pm    Post subject: Reply with quote

GurliGebis wrote:
Well, since I have giving the file 4777 rights (for now, going to change that when I get i working), the rights shouldn't be the problem.

you don't understand what i'm talking about. even if all permission bits are set, apache is not allowed to use iptables, EXCEPT if the file owner has uid 0.

Quote:
But for now, I'm using iptables to block port 80 on the external NIC, and I'm the only one using it on the internal NIC, so there is no security problem with that for now.

why don't you just run apache only on the internal interface? there is a listen directive: Listen [IP-address:]port
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Thu Jan 09, 2003 10:56 pm    Post subject: Reply with quote

GurliGebis wrote:
hehe, now it works without the sudo.
Thanks, it seemed to help changing to root:apache and 4750.

strange... i only told you about five times... ;-)
Back to top
View user's profile Send private message
GurliGebis
Retired Dev
Retired Dev


Joined: 08 Aug 2002
Posts: 509

PostPosted: Fri Jan 10, 2003 1:19 am    Post subject: Reply with quote

hehe, I know :)

btw. while we are talking PHP, is there a way to get the MAC address of the client that connect to the pages NIC?

I trying to make my webpage as userfriendly, and right now, people has to write their mac address on the webpage, to be allowed to access the internet.

It would be easies it the PHP page was able to grab the MAC, so the user didn't had to write the MAC by them self.

Can I do that?
_________________
Queen Rocks.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum