Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
PHP page running a bash script.
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
GurliGebis
Developer
Developer


Joined: 08 Aug 2002
Posts: 509

PostPosted: Tue Jan 07, 2003 4:46 pm    Post subject: PHP page running a bash script. Reply with quote

I want a PHP page to run a script every time it is loaded, the script is going to reload iptables, since there has been changed something in a file it uses.

I know there might be possible security problems with this, but the script is safe, it just has to be run everytime ok.php is run.
_________________
Queen Rocks.
Back to top
View user's profile Send private message
splooge
l33t
l33t


Joined: 30 Aug 2002
Posts: 636

PostPosted: Tue Jan 07, 2003 5:41 pm    Post subject: Reply with quote

Does this help?
Back to top
View user's profile Send private message
GurliGebis
Developer
Developer


Joined: 08 Aug 2002
Posts: 509

PostPosted: Tue Jan 07, 2003 5:57 pm    Post subject: Reply with quote

Nahh, Isn't there a single line in PHP, that makes the server run a bash script, as if I had run it from a tty?
_________________
Queen Rocks.
Back to top
View user's profile Send private message
jnewland
n00b
n00b


Joined: 01 Dec 2002
Posts: 10
Location: University of Georgia (Athens, GA, USA)

PostPosted: Tue Jan 07, 2003 7:00 pm    Post subject: Reply with quote

http://www.php.net/manual/en/ref.exec.php

you can use

Code:
exec("sh /full/path/to/script.sh");


which will not show the output. the following will print the output to the page

Code:
system("sh /full/path/to/script.sh");


the link above should clarify everything and give you some more info
_________________
--
AHHH!! Run everyone! The canary has mutated!!!
Back to top
View user's profile Send private message
GurliGebis
Developer
Developer


Joined: 08 Aug 2002
Posts: 509

PostPosted: Tue Jan 07, 2003 7:02 pm    Post subject: Reply with quote

Thank you very much :)
_________________
Queen Rocks.
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Tue Jan 07, 2003 7:03 pm    Post subject: Re: PHP page running a bash script. Reply with quote

GurliGebis wrote:
I want a PHP page to run a script every time it is loaded, the script is going to reload iptables, since there has been changed something in a file it uses.

if you're not using php's safe mode, put the path to your script in backticks (you might also want to follow the references for escapeshellcmd(), exec(), passthru(), popen(), shell_exec(), and system()).

hth, jukka
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Tue Jan 07, 2003 7:08 pm    Post subject: Re: PHP page running a bash script. Reply with quote

GurliGebis wrote:
the script is going to reload iptables

hmm, does that mean your webserver has root privileges? wow, brave ;-)
Back to top
View user's profile Send private message
GurliGebis
Developer
Developer


Joined: 08 Aug 2002
Posts: 509

PostPosted: Tue Jan 07, 2003 7:13 pm    Post subject: Reply with quote

no.

The script has SUID set.

Since the script is going to be run in the php code, how should anyone be able to change the path to the script, and that way make it run another command?????
_________________
Queen Rocks.
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Tue Jan 07, 2003 7:40 pm    Post subject: Reply with quote

GurliGebis wrote:
no. The script has SUID set.

if the suid bit is set for a script file, it gets stripped by the kernel before execution. only compiled executables may have the suid bit set. you'll have to write a wrapper in C or so.

Quote:
Since the script is going to be run in the php code, how should anyone be able to change the path to the script, and that way make it run another command?????

php bugs ;-)
Back to top
View user's profile Send private message
mmealman
Guru
Guru


Joined: 02 Nov 2002
Posts: 348
Location: Florida

PostPosted: Tue Jan 07, 2003 8:05 pm    Post subject: Reply with quote

Here's a sample C wrapper:

Code:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char* argv[])
{
   
     uid_t euid;
     euid = geteuid();
    if(euid == 33)
     {
        printf("Mirroring forms.\n");
        system("/usr/local/bin/mirrordir --verbose --password xxxx /var/forms mc://root@host/var/forms");
     } else
     {
        printf("Invalid user error.\n");
     }
   
   
}


This is on Debian box where Apache runs as www-data, or user 33. The above will only execute for that user.
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Tue Jan 07, 2003 8:23 pm    Post subject: Reply with quote

you'll probably rather need something like
Code:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(void)
{
  extern char **environ;
  const char *PROG = "/path/to/your/script";
  char *const arglist[2] = { "script_name", NULL };

  if (setuid(geteuid())) {
    perror("setuid()");
    exit(8);
  }

  execve(PROG, arglist, environ);

  fprintf(stderr, "ERROR: execve() failed\n");
  exit(9);
}

the compiled program should be owned by root:apache, and have mode 4750. so, only apache is allowed to execute this file (except root...), your script is run with an effective user id (euid) of 0.
Back to top
View user's profile Send private message
GurliGebis
Developer
Developer


Joined: 08 Aug 2002
Posts: 509

PostPosted: Tue Jan 07, 2003 9:22 pm    Post subject: Reply with quote

Now I just have to make the page.

I need one more thing:

A bash script that does export all values in a row in a mysql table to a file.

so, all values in the row "macs" in the "blp" table has to be exported to /etc/mac.allow .

Will somebody make that script for me? :)
_________________
Queen Rocks.
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Tue Jan 07, 2003 9:39 pm    Post subject: Reply with quote

GurliGebis wrote:
Will somebody make that script for me? :)

maybe you, for a change? ;-)
Back to top
View user's profile Send private message
GurliGebis
Developer
Developer


Joined: 08 Aug 2002
Posts: 509

PostPosted: Wed Jan 08, 2003 4:22 pm    Post subject: Reply with quote

Now I got all this working, there is just one little problem.

The script it executes is not able to run this command:

/etc/init.d/iptables restart

but if I run the script from the tty, it runs without any problems.
I think there might be some premission problems.

How shall the premissions for the binary file, the script and /etc/init.d/iptables be set???
_________________
Queen Rocks.
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Wed Jan 08, 2003 7:02 pm    Post subject: Reply with quote

GurliGebis wrote:
The script it executes is not able to run this command [...] but if I run the script from the tty, it runs without any problems.

how do you run the script when it fails? from cron? if yes, run it as root, i.e. in root's crontab.
Back to top
View user's profile Send private message
GurliGebis
Developer
Developer


Joined: 08 Aug 2002
Posts: 509

PostPosted: Wed Jan 08, 2003 7:08 pm    Post subject: Reply with quote

ok, here is how I do it:

the PHP script run the compiles program (source in this tread)
the script it runs, executes these commands:

echo "testing" > /home/test
/etc/init.d/iptables restart

The first command is run correct (/home/test gets created), but iptables restart doesn't work (I have changed it a little, so it touches /home/test2).

What might be wrong?
_________________
Queen Rocks.
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Wed Jan 08, 2003 7:18 pm    Post subject: Reply with quote

GurliGebis wrote:
the PHP script run the compiles program (source in this tread)

which one?

Quote:
the script it runs, executes these commands:

echo "testing" > /home/test
/etc/init.d/iptables restart

The first command is run correct (/home/test gets created), but iptables restart doesn't work

no error message? add the following line to your script, just before the iptables command, an post the result:
Code:
echo "script runs as $EUID"


Quote:
What might be wrong?

hmm, maybe the script ;-)
Back to top
View user's profile Send private message
GurliGebis
Developer
Developer


Joined: 08 Aug 2002
Posts: 509

PostPosted: Thu Jan 09, 2003 8:57 am    Post subject: Reply with quote

Going to try that when I get home.
_________________
Queen Rocks.
Back to top
View user's profile Send private message
mmealman
Guru
Guru


Joined: 02 Nov 2002
Posts: 348
Location: Florida

PostPosted: Thu Jan 09, 2003 4:10 pm    Post subject: Reply with quote

Which of the below are you doing:

1> PHP runs a C program which executes iptables.
2> PHP runs a C program which calls a bash script that runs iptables.

If it's 2, try doing 1.
Back to top
View user's profile Send private message
GurliGebis
Developer
Developer


Joined: 08 Aug 2002
Posts: 509

PostPosted: Thu Jan 09, 2003 4:56 pm    Post subject: Reply with quote

hehe, then I have to change something in the iptables script, since it reads something from a mysql database.

But I'm going to try that in an hour or so.

8O <-- hmm
_________________
Queen Rocks.
Back to top
View user's profile Send private message
GurliGebis
Developer
Developer


Joined: 08 Aug 2002
Posts: 509

PostPosted: Thu Jan 09, 2003 9:52 pm    Post subject: Reply with quote

Script is running as 81 (apache)
Can I do it with sudo?
_________________
Queen Rocks.
Back to top
View user's profile Send private message
mr-simon
Guru
Guru


Joined: 22 Nov 2002
Posts: 349
Location: Leamington Spa, Warks, UK

PostPosted: Thu Jan 09, 2003 10:25 pm    Post subject: Reply with quote

if you really must run a script as root, try using runsuid - this lets you configure which users are allowed to run which script as which other user, and handles the wrapper for you.

Really, really do check the script eleventeen times, as well as your web site, to make sure you know you're not going to leave a bigger security hole than you need to though.
_________________
"Pokey, are you drunk on love?"
"Yes. Also whiskey. But mostly love... and whiskey."
Back to top
View user's profile Send private message
jukka
Apprentice
Apprentice


Joined: 06 Jun 2002
Posts: 249
Location: Zurich, Switzerland

PostPosted: Thu Jan 09, 2003 10:30 pm    Post subject: Reply with quote

GurliGebis wrote:
Script is running as 81 (apache)

i thought you were using a wrapper... but you don't.

Quote:
Can I do it with sudo?

maybe this thread helps...

seriously: with sudo, you would have to allow apache to execute commands as root without a password. i think that's not a very good idea...
use the tiny c wrapper i posted two days ago (in this thread). put the binary in your web servers cgi directory, change the file owner to root and the group to your web servers primary gid. then set the file mode to 4750.
if the cgi (the wrapper) is executed, it runs with an effective user id of 0 --> it runs your script as root --> your script is allowed to change iptables rules (because it's root). that's it. lucky? ;-)
Back to top
View user's profile Send private message
GurliGebis
Developer
Developer


Joined: 08 Aug 2002
Posts: 509

PostPosted: Thu Jan 09, 2003 10:31 pm    Post subject: Reply with quote

I got it working using SUID, but I would like to know, which things apache should have the rights to, to run:

/etc/init.d/iptables restart.
_________________
Queen Rocks.
Back to top
View user's profile Send private message
GurliGebis
Developer
Developer


Joined: 08 Aug 2002
Posts: 509

PostPosted: Thu Jan 09, 2003 10:32 pm    Post subject: Reply with quote

Problem there, i used the wrapper to call the script, and the script returns EUID 81.
_________________
Queen Rocks.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum