[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Re: Please Help



Being that the execution of the script isn't a security concern, couldn't 
the web user be given sudo permission to run the C script as root (without a 
password), and call the system command as system(`sudo <command here>')? 

David Bronson 

Geoffrey writes: 

> This issue just rang a bell in my pea brain.  I believe you're on the 
> right track, and if you replace your system() call with a fork()/exec() it 
> will work as you expect. 
> 
> Tyler Kiley wrote:
>> Actually, I'm pretty sure php chmod() doesn't (didn't?) set suid or 
>> sticky bits.  But that's kinda getting sidetracked..... 
>> 
>> I'd guess Ken's problem is in the c program: 
>> 
>> int main(void)
>> {
>>     system("/usr/local/sbin/changewriter.pl");
>> } 
>> 
>> according to the 'system' manpage in rh 7.2, bash drops suid priveliges 
>> when it is run.  Now... I'm still fairly new to linux, so correct me if 
>> I'm wrong,  but wouldn't that mean that the setuid bit on the c program 
>> is essentially useless? 
>> 
>> Tyler 
>> 
>> Jim Philips: 
>> 
>>> Well, there is a function called chmod() that will do anything a UNIX
>>> chmod will do. See shell_exec() and system() functions for executing
>>> other shell functions within PHP. 
>>> 
>>> On Thu, 2002-03-28 at 15:36, Tyler Kiley wrote: 
>>> 
>>>> if php is compiled as an apache module, you're outta luck afaik.....
>>>> there's nothing to chmod +s, and suexec doesn't work on mod_php (? 
>>>> never
>>>> tried myself, but that's what I've heard). 
>>>> 
>>>> if you've compiled it as a standalone executable, you can always chmod 
>>>> +s
>>>> /usr/local/bin/php, but then all your scripts run as that uid, which is
>>>> typically not good. (anyone know if apache will even accept an
>>>> interpreter that has the +s bit?) 
>>>> 
>>>> Suexec with standalone php is probably the best option.  That will 
>>>> allow
>>>> you to designate a certain directory or virtualhost as setuid, while
>>>> leaving all other php scripts alone. 
>>>> 
>>>> http://httpd.apache.org/docs/suexec.html
>>>> http://www.php.net/manual/en/security.cgi-bin.php 
>>>> 
>>>> Tyler 
>>>> 
>>>> Ken Nagorski: 
>>>> 
>>>>> Please tell me someone knows how to do this. Here is the problem. 
>>>>> 
>>>>> I need to a script SUID form a website. It is a PHP script that calls 
>>>>> a
>>>>> wrapper program written in C and it is set 4755, The script is calls
>>>>> just runs a system command, actually a courier command, the makealises
>>>>> command. But I can't get this to work for the life of me. I know that
>>>>> someone has had of written the script that simplifies system mamagment
>>>>> and then needed to run a system command when it is finished but HOW? 
>>>>> 
>>>>> Uhg - Thanks
>>>>> Ken 
>>>>> 
>>>>>  
>>>>> 
>>>>> 
>>>>> ---
>>>>> This message has been sent through the ALE general discussion list.
>>>>> See http://www.ale.org/mailing-lists.shtml for more info. Problems
>>>>> should be sent to listmaster at ale dot org. 
>>>>> 
>>>> ---
>>>> This message has been sent through the ALE general discussion list.
>>>> See http://www.ale.org/mailing-lists.shtml for more info. Problems 
>>>> should
>>>> be sent to listmaster at ale dot org. 
>>>> 
>>> ---
>>> This message has been sent through the ALE general discussion list.
>>> See http://www.ale.org/mailing-lists.shtml for more info. Problems 
>>> should
>>> be sent to listmaster at ale dot org. 
>>> 
>> 
>> ---
>> This message has been sent through the ALE general discussion list.
>> See http://www.ale.org/mailing-lists.shtml for more info. Problems should 
>> be sent to listmaster at ale dot org. 
>> 
>>  
>> 
>  
> 
> -- 
> Until later: Geoffrey		esoteric at 3times25.net 
> 
> I didn't have to buy my radio from a specific company to listen
> to FM, why doesn't that apply to the Internet (anymore...)? 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should 
> be sent to listmaster at ale dot org. 
> 
 

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.