By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,853 Members | 974 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,853 IT Pros & Developers. It's quick & easy.

PHP writing to /etc

P: n/a
Hello everybody.

I'm trying to set up a simple web interface to maintain the rules
configuration for Shorewall.

This entails writing to at least one of several root-owned files in
/etc/shorewall.

Can anyone, please explain how I allow a script to write to one of these
files when apache is running as www-run.nobody (on debian stable) ?

I appreciate that it's probably about permissions, but I should like to
be able to minimise the risk of abuse because it is for a charity that I
work for.

Apache is set up to be visible internally only and I shall ensure that
no-one can make it visible via the interface!!

Thank you for any help that anyone can give.

Regards,
Pete
Jul 17 '05 #1
Share this Question
Share on Google+
8 Replies


P: n/a
chmod 777

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Peter Simpson" <pe***@tiverton.demon.co.uk> wrote in message
news:c0*******************@news.demon.co.uk...
Hello everybody.

I'm trying to set up a simple web interface to maintain the rules
configuration for Shorewall.

This entails writing to at least one of several root-owned files in
/etc/shorewall.

Can anyone, please explain how I allow a script to write to one of these
files when apache is running as www-run.nobody (on debian stable) ?

I appreciate that it's probably about permissions, but I should like to
be able to minimise the risk of abuse because it is for a charity that I
work for.

Apache is set up to be visible internally only and I shall ensure that
no-one can make it visible via the interface!!

Thank you for any help that anyone can give.

Regards,
Pete

Jul 17 '05 #2

P: n/a
Hi.

I was hoping for something a little less prone to abuse.

I guess what I really mean is: "Is there a way to make a script execute
as someone other than www-run" ?

Regards,
Peter

CountScubula wrote:
chmod 777

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Peter Simpson" <pe***@tiverton.demon.co.uk> wrote in message
news:c0*******************@news.demon.co.uk...
Hello everybody.

I'm trying to set up a simple web interface to maintain the rules
configuration for Shorewall.

This entails writing to at least one of several root-owned files in
/etc/shorewall.

Can anyone, please explain how I allow a script to write to one of these
files when apache is running as www-run.nobody (on debian stable) ?

I appreciate that it's probably about permissions, but I should like to
be able to minimise the risk of abuse because it is for a charity that I
work for.

Apache is set up to be visible internally only and I shall ensure that
no-one can make it visible via the interface!!

Thank you for any help that anyone can give.

Regards,
Pete


Jul 17 '05 #3

P: n/a
TreeBoy wrote:
Hi.

I was hoping for something a little less prone to abuse.


Whew! I would hope so! Do you know about sudo?
--
Jim Thomas Principal Applications Engineer Bittware, Inc
jt*****@bittware.com http://www.bittware.com (703) 779-7770
The secret to enjoying your job is to have a hobby that's even worse
- Calvin's Dad

Jul 17 '05 #4

P: n/a
Hi.

I'm confident about using sudo at the command line - but I'm not sure
about applying this to an Apache-hosted PHP page.

The simplest thing that I could think of in this scenario is to "chgrp"
the relevant files to "nogroup" which is what Apache is running at - but
I'm not sure if that leaves me open to yet more abuse.

Otherwise, how do I sudo from within PHP - I've played vaguely with
suEXEC in Apache, but I am petrified of the consequences of trying that.

I hope I'm getting the idea of my paranoia across ;-)

Peter

Jim Thomas wrote:
TreeBoy wrote:
Hi.

I was hoping for something a little less prone to abuse.

Whew! I would hope so! Do you know about sudo?

Jul 17 '05 #5

P: n/a
ok, here are 2 aproaches.

1:
write a wrapper in C, that changes the running user, and does what you want.

2:
Create a dir called, for example: webcron, and make it writable by only your
webserver. This directory can be anywhere you want, perhaps /etc/webcron

Now, depending on your server, and your needs, add an entry into
/etc/crontab, such as this:
*/2 * * * * root run-parts /etc/webcrons

This will cause the server to run whatever scripts are in that folder every
2 minutes. So when you need something done have your php page write a simple
script to that directory, and and the end of the script, have it erase it
self.

Ok, its a hack, but it works if you can't figure out option 1

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"TreeBoy" <tr*******@tiverton.DELETE_ME.demon.co.uk> wrote in message
news:c0*******************@news.demon.co.uk...
Hi.

I was hoping for something a little less prone to abuse.

I guess what I really mean is: "Is there a way to make a script execute
as someone other than www-run" ?

Regards,
Peter

CountScubula wrote:
chmod 777

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Peter Simpson" <pe***@tiverton.demon.co.uk> wrote in message
news:c0*******************@news.demon.co.uk...
Hello everybody.

I'm trying to set up a simple web interface to maintain the rules
configuration for Shorewall.

This entails writing to at least one of several root-owned files in
/etc/shorewall.

Can anyone, please explain how I allow a script to write to one of these
files when apache is running as www-run.nobody (on debian stable) ?

I appreciate that it's probably about permissions, but I should like to
be able to minimise the risk of abuse because it is for a charity that I
work for.

Apache is set up to be visible internally only and I shall ensure that
no-one can make it visible via the interface!!

Thank you for any help that anyone can give.

Regards,
Pete


Jul 17 '05 #6

P: n/a
TreeBoy wrote:
Hi.

I'm confident about using sudo at the command line - but I'm not sure
about applying this to an Apache-hosted PHP page.

The simplest thing that I could think of in this scenario is to "chgrp"
the relevant files to "nogroup" which is what Apache is running at - but
I'm not sure if that leaves me open to yet more abuse.

Otherwise, how do I sudo from within PHP - I've played vaguely with
suEXEC in Apache, but I am petrified of the consequences of trying that.

I hope I'm getting the idea of my paranoia across ;-)


Yes you are. This is, as you know, very dangerous ground to tread. But
if the command you wish to run is static, you can invoke it with
something like system("sudo rm -rf /"). (This example is contrived ;-)

With sudo you can specify a very precise command, including acceptable
arguments.

Be careful!

--
Jim Thomas Principal Applications Engineer Bittware, Inc
jt*****@bittware.com http://www.bittware.com (703) 779-7770
The secret to enjoying your job is to have a hobby that's even worse
- Calvin's Dad

Jul 17 '05 #7

P: n/a
Jim Thomas wrote:
TreeBoy wrote:
Hi.

I'm confident about using sudo at the command line - but I'm not sure
about applying this to an Apache-hosted PHP page.

The simplest thing that I could think of in this scenario is to
"chgrp" the relevant files to "nogroup" which is what Apache is
running at - but I'm not sure if that leaves me open to yet more abuse.

Otherwise, how do I sudo from within PHP - I've played vaguely with
suEXEC in Apache, but I am petrified of the consequences of trying that.

I hope I'm getting the idea of my paranoia across ;-)

Yes you are. This is, as you know, very dangerous ground to tread. But
if the command you wish to run is static, you can invoke it with
something like system("sudo rm -rf /"). (This example is contrived ;-)

With sudo you can specify a very precise command, including acceptable
arguments.

Be careful!


Thanks for the clue.

I'm now happy to be able to do what I want.

I just didn't know about the "system" command.

All the very best.
Pete

BTW: I shall be *very* careful.
Jul 17 '05 #8

P: n/a
Thanks Monsieur le Count.

The wrapper thing is not really something that I want to consider - I
believe that I could achieve the same thing by making a SUID or SGID
shell script to achieve the same and relying on my security skills at
that level is not too appealing :-(

The cron tab thing is a nice cludge, which I had not considered. Running
it every two minutes may have a significant impact on overall
performance for the office - but I certainly have nothing to lose in
trying it.

Thank you very much for your assistance.

Regards,
Peter
CountScubula wrote:
ok, here are 2 aproaches.

1:
write a wrapper in C, that changes the running user, and does what you want.

2:
Create a dir called, for example: webcron, and make it writable by only your
webserver. This directory can be anywhere you want, perhaps /etc/webcron

Now, depending on your server, and your needs, add an entry into
/etc/crontab, such as this:
*/2 * * * * root run-parts /etc/webcrons

This will cause the server to run whatever scripts are in that folder every
2 minutes. So when you need something done have your php page write a simple
script to that directory, and and the end of the script, have it erase it
self.

Ok, its a hack, but it works if you can't figure out option 1

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"TreeBoy" <tr*******@tiverton.DELETE_ME.demon.co.uk> wrote in message
news:c0*******************@news.demon.co.uk...
Hi.

I was hoping for something a little less prone to abuse.

I guess what I really mean is: "Is there a way to make a script execute
as someone other than www-run" ?

Regards,
Peter

CountScubula wrote:
chmod 777

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Peter Simpson" <pe***@tiverton.demon.co.uk> wrote in message
news:c0*******************@news.demon.co.uk.. .
Hello everybody.

I'm trying to set up a simple web interface to maintain the rules
configuration for Shorewall.

This entails writing to at least one of several root-owned files in
/etc/shorewall.

Can anyone, please explain how I allow a script to write to one of these
files when apache is running as www-run.nobody (on debian stable) ?

I appreciate that it's probably about permissions, but I should like to
be able to minimise the risk of abuse because it is for a charity that I
work for.

Apache is set up to be visible internally only and I shall ensure that
no-one can make it visible via the interface!!

Thank you for any help that anyone can give.

Regards,
Pete


Jul 17 '05 #9

This discussion thread is closed

Replies have been disabled for this discussion.