Hello everybody.
I'm trying to set up a simple web interface to maintain the rules
configuration for Shorewall.
This entails writing to at least one of several root-owned files in
/etc/shorewall.
Can anyone, please explain how I allow a script to write to one of these
files when apache is running as www-run.nobody (on debian stable) ?
I appreciate that it's probably about permissions, but I should like to
be able to minimise the risk of abuse because it is for a charity that I
work for.
Apache is set up to be visible internally only and I shall ensure that
no-one can make it visible via the interface!!
Thank you for any help that anyone can give.
Regards,
Pete
8  1670 
chmod 777
--
Mike Bradley http://www.gzentools.com -- free online php tools
"Peter Simpson" <pe***@tiverton.demon.co.uk> wrote in message
news:c0*******************@news.demon.co.uk... Hello everybody.
I'm trying to set up a simple web interface to maintain the rules
configuration for Shorewall.
This entails writing to at least one of several root-owned files in
/etc/shorewall.
Can anyone, please explain how I allow a script to write to one of these
files when apache is running as www-run.nobody (on debian stable) ?
I appreciate that it's probably about permissions, but I should like to
be able to minimise the risk of abuse because it is for a charity that I
work for.
Apache is set up to be visible internally only and I shall ensure that
no-one can make it visible via the interface!!
Thank you for any help that anyone can give.
Regards,
Pete
Hi.
I was hoping for something a little less prone to abuse.
I guess what I really mean is: "Is there a way to make a script execute
as someone other than www-run" ?
Regards,
Peter
CountScubula wrote: chmod 777
--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Peter Simpson" <pe***@tiverton.demon.co.uk> wrote in message
news:c0*******************@news.demon.co.uk...
Hello everybody.
I'm trying to set up a simple web interface to maintain the rules
configuration for Shorewall.
This entails writing to at least one of several root-owned files in
/etc/shorewall.
Can anyone, please explain how I allow a script to write to one of these
files when apache is running as www-run.nobody (on debian stable) ?
I appreciate that it's probably about permissions, but I should like to
be able to minimise the risk of abuse because it is for a charity that I
work for.
Apache is set up to be visible internally only and I shall ensure that
no-one can make it visible via the interface!!
Thank you for any help that anyone can give.
Regards,
Pete
TreeBoy wrote: Hi.
I was hoping for something a little less prone to abuse.
Whew! I would hope so! Do you know about sudo?
--
Jim Thomas Principal Applications Engineer Bittware, Inc jt*****@bittware.com http://www.bittware.com (703) 779-7770
The secret to enjoying your job is to have a hobby that's even worse
- Calvin's Dad
Hi.
I'm confident about using sudo at the command line - but I'm not sure
about applying this to an Apache-hosted PHP page.
The simplest thing that I could think of in this scenario is to "chgrp"
the relevant files to "nogroup" which is what Apache is running at - but
I'm not sure if that leaves me open to yet more abuse.
Otherwise, how do I sudo from within PHP - I've played vaguely with
suEXEC in Apache, but I am petrified of the consequences of trying that.
I hope I'm getting the idea of my paranoia across ;-)
Peter
Jim Thomas wrote: TreeBoy wrote:
Hi.
I was hoping for something a little less prone to abuse.
Whew! I would hope so! Do you know about sudo?
ok, here are 2 aproaches.
1:
write a wrapper in C, that changes the running user, and does what you want.
2:
Create a dir called, for example: webcron, and make it writable by only your
webserver. This directory can be anywhere you want, perhaps /etc/webcron
Now, depending on your server, and your needs, add an entry into
/etc/crontab, such as this:
*/2 * * * * root run-parts /etc/webcrons
This will cause the server to run whatever scripts are in that folder every
2 minutes. So when you need something done have your php page write a simple
script to that directory, and and the end of the script, have it erase it
self.
Ok, its a hack, but it works if you can't figure out option 1
--
Mike Bradley http://www.gzentools.com -- free online php tools
"TreeBoy" <tr*******@tiverton.DELETE_ME.demon.co.uk> wrote in message
news:c0*******************@news.demon.co.uk... Hi.
I was hoping for something a little less prone to abuse.
I guess what I really mean is: "Is there a way to make a script execute
as someone other than www-run" ?
Regards,
Peter
CountScubula wrote: chmod 777
--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Peter Simpson" <pe***@tiverton.demon.co.uk> wrote in message
news:c0*******************@news.demon.co.uk...
Hello everybody.
I'm trying to set up a simple web interface to maintain the rules
configuration for Shorewall.
This entails writing to at least one of several root-owned files in
/etc/shorewall.
Can anyone, please explain how I allow a script to write to one of these
files when apache is running as www-run.nobody (on debian stable) ?
I appreciate that it's probably about permissions, but I should like to
be able to minimise the risk of abuse because it is for a charity that I
work for.
Apache is set up to be visible internally only and I shall ensure that
no-one can make it visible via the interface!!
Thank you for any help that anyone can give.
Regards,
Pete
TreeBoy wrote: Hi.
I'm confident about using sudo at the command line - but I'm not sure
about applying this to an Apache-hosted PHP page.
The simplest thing that I could think of in this scenario is to "chgrp"
the relevant files to "nogroup" which is what Apache is running at - but
I'm not sure if that leaves me open to yet more abuse.
Otherwise, how do I sudo from within PHP - I've played vaguely with
suEXEC in Apache, but I am petrified of the consequences of trying that.
I hope I'm getting the idea of my paranoia across ;-)
Yes you are. This is, as you know, very dangerous ground to tread. But
if the command you wish to run is static, you can invoke it with
something like system("sudo rm -rf /"). (This example is contrived ;-)
With sudo you can specify a very precise command, including acceptable
arguments.
Be careful!
--
Jim Thomas Principal Applications Engineer Bittware, Inc jt*****@bittware.com http://www.bittware.com (703) 779-7770
The secret to enjoying your job is to have a hobby that's even worse
- Calvin's Dad
Jim Thomas wrote: TreeBoy wrote:
Hi.
I'm confident about using sudo at the command line - but I'm not sure
about applying this to an Apache-hosted PHP page.
The simplest thing that I could think of in this scenario is to
"chgrp" the relevant files to "nogroup" which is what Apache is
running at - but I'm not sure if that leaves me open to yet more abuse.
Otherwise, how do I sudo from within PHP - I've played vaguely with
suEXEC in Apache, but I am petrified of the consequences of trying that.
I hope I'm getting the idea of my paranoia across ;-)
Yes you are. This is, as you know, very dangerous ground to tread. But
if the command you wish to run is static, you can invoke it with
something like system("sudo rm -rf /"). (This example is contrived ;-)
With sudo you can specify a very precise command, including acceptable
arguments.
Be careful!
Thanks for the clue.
I'm now happy to be able to do what I want.
I just didn't know about the "system" command.
All the very best.
Pete
BTW: I shall be *very* careful.
Thanks Monsieur le Count.
The wrapper thing is not really something that I want to consider - I
believe that I could achieve the same thing by making a SUID or SGID
shell script to achieve the same and relying on my security skills at
that level is not too appealing :-(
The cron tab thing is a nice cludge, which I had not considered. Running
it every two minutes may have a significant impact on overall
performance for the office - but I certainly have nothing to lose in
trying it.
Thank you very much for your assistance.
Regards,
Peter
CountScubula wrote: ok, here are 2 aproaches.
1:
write a wrapper in C, that changes the running user, and does what you want.
2:
Create a dir called, for example: webcron, and make it writable by only your
webserver. This directory can be anywhere you want, perhaps /etc/webcron
Now, depending on your server, and your needs, add an entry into
/etc/crontab, such as this:
*/2 * * * * root run-parts /etc/webcrons
This will cause the server to run whatever scripts are in that folder every
2 minutes. So when you need something done have your php page write a simple
script to that directory, and and the end of the script, have it erase it
self.
Ok, its a hack, but it works if you can't figure out option 1
--
Mike Bradley
http://www.gzentools.com -- free online php tools
"TreeBoy" <tr*******@tiverton.DELETE_ME.demon.co.uk> wrote in message
news:c0*******************@news.demon.co.uk...
Hi.
I was hoping for something a little less prone to abuse.
I guess what I really mean is: "Is there a way to make a script execute
as someone other than www-run" ?
Regards,
Peter
CountScubula wrote:
chmod 777
--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Peter Simpson" <pe***@tiverton.demon.co.uk> wrote in message
news:c0*******************@news.demon.co.uk.. .
Hello everybody.
I'm trying to set up a simple web interface to maintain the rules
configuration for Shorewall.
This entails writing to at least one of several root-owned files in
/etc/shorewall.
Can anyone, please explain how I allow a script to write to one of these
files when apache is running as www-run.nobody (on debian stable) ?
I appreciate that it's probably about permissions, but I should like to
be able to minimise the risk of abuse because it is for a charity that I
work for.
Apache is set up to be visible internally only and I shall ensure that
no-one can make it visible via the interface!!
Thank you for any help that anyone can give.
Regards,
Pete
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Joseph |
last post by:
Hi
I'm writing a commercial program which must be reliable. It has to do
some basic reading and writing to and from files on the hard disk,
and also to a floppy.
I have foreseen a potential...
|
by: Sebastian Kemi |
last post by:
How should a write a class to a file?
Would this example work:
object *myobject = 0;
tfile.write(reinterpret_cast<char *>(myobject), sizeof(*object));
/ sebek
|
by: ishekar |
last post by:
Hi,
I have an application where i want to write data to a file, the data is
being sent from an external source. I know the total size of the data and
then i retrieve the data in small segments...
|
by: Daniel |
last post by:
System.IO.StreamWriter Close or Flush method to shut down the computer in
such a way that just part of the file is written? or an empty file is
written? Also if the Close or Flush is to a...
|
by: Jeong-Gun Lee |
last post by:
I'm writing a code of writing a value to a specific memory address.
=================================================================
#include <stdio.h>
int main()
{
long air;
long...
|
by: Xah Lee |
last post by:
i had the pleasure to read the PHP's manual today.
http://www.php.net/manual/en/
although Pretty Home Page is another criminal hack of the unix lineage,
but if we are here to judge the quality...
|
by: Claudio Grondi |
last post by:
I have a 250 Gbyte file (occupies the whole hard drive space) and want
to change only eight bytes in this file at a given offset of appr. 200
Gbyte (all other data in that file should remain...
|
by: arne.muller |
last post by:
Hello,
I've come across some problems reading strucutres from binary files.
Basically I've some strutures
typedef struct {
int i;
double x;
int n;
double *mz;
|
by: Barry Flynn |
last post by:
Hi
I am working with a VB 2005 program which has been converted from VB6.
It writes data out to a flat file, with code like the following line
WriteLine(riFileNo, "Hist", lsAssetID,...
|
by: Skybuck Flying |
last post by:
Hello,
This morning I had an idea how to write Scalable Software in general.
Unfortunately with Delphi 2007 it can't be done because it does not support
operating overloading for classes, or...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
