[ale] Re: Please Help

Geoffrey esoteric at 3times25.net
Fri Mar 29 08:46:23 EST 2002


Probably no help whatsoever, but I'm kind of a stickler on anything that 
is suid, is a security concern.  The fact that it requires root 
permissions, defines it as a security concern.

dbron wrote:
> Being that the execution of the script isn't a security concern, 
> couldn't the web user be given sudo permission to run the C script as 
> root (without a password), and call the system command as system(`sudo 
> <command here>')?
> David Bronson
> Geoffrey writes:
> 
>> This issue just rang a bell in my pea brain.  I believe you're on the 
>> right track, and if you replace your system() call with a 
>> fork()/exec() it will work as you expect.
>> Tyler Kiley wrote:
>>
>>> Actually, I'm pretty sure php chmod() doesn't (didn't?) set suid or 
>>> sticky bits.  But that's kinda getting sidetracked.....
>>> I'd guess Ken's problem is in the c program:
>>> int main(void)
>>> {
>>>     system("/usr/local/sbin/changewriter.pl");
>>> }
>>> according to the 'system' manpage in rh 7.2, bash drops suid 
>>> priveliges when it is run.  Now... I'm still fairly new to linux, so 
>>> correct me if I'm wrong,  but wouldn't that mean that the setuid bit 
>>> on the c program is essentially useless?
>>> Tyler
>>> Jim Philips:
>>>
>>>> Well, there is a function called chmod() that will do anything a UNIX
>>>> chmod will do. See shell_exec() and system() functions for executing
>>>> other shell functions within PHP.
>>>> On Thu, 2002-03-28 at 15:36, Tyler Kiley wrote:
>>>>
>>>>> if php is compiled as an apache module, you're outta luck afaik.....
>>>>> there's nothing to chmod +s, and suexec doesn't work on mod_php (? 
>>>>> never
>>>>> tried myself, but that's what I've heard).
>>>>> if you've compiled it as a standalone executable, you can always 
>>>>> chmod +s
>>>>> /usr/local/bin/php, but then all your scripts run as that uid, 
>>>>> which is
>>>>> typically not good. (anyone know if apache will even accept an
>>>>> interpreter that has the +s bit?)
>>>>> Suexec with standalone php is probably the best option.  That will 
>>>>> allow
>>>>> you to designate a certain directory or virtualhost as setuid, while
>>>>> leaving all other php scripts alone.
>>>>> http://httpd.apache.org/docs/suexec.html
>>>>> http://www.php.net/manual/en/security.cgi-bin.php
>>>>> Tyler
>>>>> Ken Nagorski:
>>>>>
>>>>>> Please tell me someone knows how to do this. Here is the problem.
>>>>>> I need to a script SUID form a website. It is a PHP script that 
>>>>>> calls a
>>>>>> wrapper program written in C and it is set 4755, The script is calls
>>>>>> just runs a system command, actually a courier command, the 
>>>>>> makealises
>>>>>> command. But I can't get this to work for the life of me. I know that
>>>>>> someone has had of written the script that simplifies system 
>>>>>> mamagment
>>>>>> and then needed to run a system command when it is finished but HOW?
>>>>>> Uhg - Thanks
>>>>>> Ken
>>>>>>  
>>>>>>
>>>>>>
>>>>>> ---
>>>>>> This message has been sent through the ALE general discussion list.
>>>>>> See http://www.ale.org/mailing-lists.shtml for more info. Problems
>>>>>> should be sent to listmaster at ale dot org.
>>>>>
>>>>> ---
>>>>> This message has been sent through the ALE general discussion list.
>>>>> See http://www.ale.org/mailing-lists.shtml for more info. Problems 
>>>>> should
>>>>> be sent to listmaster at ale dot org.
>>>>
>>>> ---
>>>> This message has been sent through the ALE general discussion list.
>>>> See http://www.ale.org/mailing-lists.shtml for more info. Problems 
>>>> should
>>>> be sent to listmaster at ale dot org.
>>>
>>>
>>> ---
>>> This message has been sent through the ALE general discussion list.
>>> See http://www.ale.org/mailing-lists.shtml for more info. Problems 
>>> should be sent to listmaster at ale dot org.
>>>  
>>>
>>  
>>
>> -- 
>> Until later: Geoffrey        esoteric at 3times25.net
>> I didn't have to buy my radio from a specific company to listen
>> to FM, why doesn't that apply to the Internet (anymore...)?
>>
>> ---
>> This message has been sent through the ALE general discussion list.
>> See http://www.ale.org/mailing-lists.shtml for more info. Problems 
>> should be sent to listmaster at ale dot org.
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems 
> should be sent to listmaster at ale dot org.
> 
> 


-- 
Until later: Geoffrey		esoteric at 3times25.net

I didn't have to buy my radio from a specific company to listen
to FM, why doesn't that apply to the Internet (anymore...)?


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list