View previous topic :: View next topic |
Author |
Message |
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Tue Jan 07, 2003 4:46 pm Post subject: PHP page running a bash script. |
|
|
I want a PHP page to run a script every time it is loaded, the script is going to reload iptables, since there has been changed something in a file it uses.
I know there might be possible security problems with this, but the script is safe, it just has to be run everytime ok.php is run. _________________ Queen Rocks. |
|
Back to top |
|
|
splooge l33t
Joined: 30 Aug 2002 Posts: 636
|
Posted: Tue Jan 07, 2003 5:41 pm Post subject: |
|
|
Does this help? |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Tue Jan 07, 2003 5:57 pm Post subject: |
|
|
Nahh, Isn't there a single line in PHP, that makes the server run a bash script, as if I had run it from a tty? _________________ Queen Rocks. |
|
Back to top |
|
|
jnewland n00b
Joined: 01 Dec 2002 Posts: 10 Location: University of Georgia (Athens, GA, USA)
|
Posted: Tue Jan 07, 2003 7:00 pm Post subject: |
|
|
http://www.php.net/manual/en/ref.exec.php
you can use
Code: | exec("sh /full/path/to/script.sh"); |
which will not show the output. the following will print the output to the page
Code: | system("sh /full/path/to/script.sh"); |
the link above should clarify everything and give you some more info _________________ --
AHHH!! Run everyone! The canary has mutated!!! |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Tue Jan 07, 2003 7:02 pm Post subject: |
|
|
Thank you very much _________________ Queen Rocks. |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Tue Jan 07, 2003 7:03 pm Post subject: Re: PHP page running a bash script. |
|
|
GurliGebis wrote: | I want a PHP page to run a script every time it is loaded, the script is going to reload iptables, since there has been changed something in a file it uses. |
if you're not using php's safe mode, put the path to your script in backticks (you might also want to follow the references for escapeshellcmd(), exec(), passthru(), popen(), shell_exec(), and system()).
hth, jukka |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Tue Jan 07, 2003 7:08 pm Post subject: Re: PHP page running a bash script. |
|
|
GurliGebis wrote: | the script is going to reload iptables |
hmm, does that mean your webserver has root privileges? wow, brave |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Tue Jan 07, 2003 7:13 pm Post subject: |
|
|
no.
The script has SUID set.
Since the script is going to be run in the php code, how should anyone be able to change the path to the script, and that way make it run another command????? _________________ Queen Rocks. |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Tue Jan 07, 2003 7:40 pm Post subject: |
|
|
GurliGebis wrote: | no. The script has SUID set. |
if the suid bit is set for a script file, it gets stripped by the kernel before execution. only compiled executables may have the suid bit set. you'll have to write a wrapper in C or so.
Quote: | Since the script is going to be run in the php code, how should anyone be able to change the path to the script, and that way make it run another command????? |
php bugs |
|
Back to top |
|
|
mmealman Guru
Joined: 02 Nov 2002 Posts: 348 Location: Florida
|
Posted: Tue Jan 07, 2003 8:05 pm Post subject: |
|
|
Here's a sample C wrapper:
Code: |
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char* argv[])
{
uid_t euid;
euid = geteuid();
if(euid == 33)
{
printf("Mirroring forms.\n");
system("/usr/local/bin/mirrordir --verbose --password xxxx /var/forms mc://root@host/var/forms");
} else
{
printf("Invalid user error.\n");
}
}
|
This is on Debian box where Apache runs as www-data, or user 33. The above will only execute for that user. |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Tue Jan 07, 2003 8:23 pm Post subject: |
|
|
you'll probably rather need something like Code: | #include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
{
extern char **environ;
const char *PROG = "/path/to/your/script";
char *const arglist[2] = { "script_name", NULL };
if (setuid(geteuid())) {
perror("setuid()");
exit(8);
}
execve(PROG, arglist, environ);
fprintf(stderr, "ERROR: execve() failed\n");
exit(9);
} |
the compiled program should be owned by root:apache, and have mode 4750. so, only apache is allowed to execute this file (except root...), your script is run with an effective user id (euid) of 0. |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Tue Jan 07, 2003 9:22 pm Post subject: |
|
|
Now I just have to make the page.
I need one more thing:
A bash script that does export all values in a row in a mysql table to a file.
so, all values in the row "macs" in the "blp" table has to be exported to /etc/mac.allow .
Will somebody make that script for me? _________________ Queen Rocks. |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Tue Jan 07, 2003 9:39 pm Post subject: |
|
|
GurliGebis wrote: | Will somebody make that script for me? |
maybe you, for a change? |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Wed Jan 08, 2003 4:22 pm Post subject: |
|
|
Now I got all this working, there is just one little problem.
The script it executes is not able to run this command:
/etc/init.d/iptables restart
but if I run the script from the tty, it runs without any problems.
I think there might be some premission problems.
How shall the premissions for the binary file, the script and /etc/init.d/iptables be set??? _________________ Queen Rocks. |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Wed Jan 08, 2003 7:02 pm Post subject: |
|
|
GurliGebis wrote: | The script it executes is not able to run this command [...] but if I run the script from the tty, it runs without any problems. |
how do you run the script when it fails? from cron? if yes, run it as root, i.e. in root's crontab. |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Wed Jan 08, 2003 7:08 pm Post subject: |
|
|
ok, here is how I do it:
the PHP script run the compiles program (source in this tread)
the script it runs, executes these commands:
echo "testing" > /home/test
/etc/init.d/iptables restart
The first command is run correct (/home/test gets created), but iptables restart doesn't work (I have changed it a little, so it touches /home/test2).
What might be wrong? _________________ Queen Rocks. |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Wed Jan 08, 2003 7:18 pm Post subject: |
|
|
GurliGebis wrote: | the PHP script run the compiles program (source in this tread) |
which one?
Quote: | the script it runs, executes these commands:
echo "testing" > /home/test
/etc/init.d/iptables restart
The first command is run correct (/home/test gets created), but iptables restart doesn't work |
no error message? add the following line to your script, just before the iptables command, an post the result: Code: | echo "script runs as $EUID" |
Quote: | What might be wrong? |
hmm, maybe the script |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Thu Jan 09, 2003 8:57 am Post subject: |
|
|
Going to try that when I get home. _________________ Queen Rocks. |
|
Back to top |
|
|
mmealman Guru
Joined: 02 Nov 2002 Posts: 348 Location: Florida
|
Posted: Thu Jan 09, 2003 4:10 pm Post subject: |
|
|
Which of the below are you doing:
1> PHP runs a C program which executes iptables.
2> PHP runs a C program which calls a bash script that runs iptables.
If it's 2, try doing 1. |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Thu Jan 09, 2003 4:56 pm Post subject: |
|
|
hehe, then I have to change something in the iptables script, since it reads something from a mysql database.
But I'm going to try that in an hour or so.
<-- hmm _________________ Queen Rocks. |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Thu Jan 09, 2003 9:52 pm Post subject: |
|
|
Script is running as 81 (apache)
Can I do it with sudo? _________________ Queen Rocks. |
|
Back to top |
|
|
mr-simon Guru
Joined: 22 Nov 2002 Posts: 367 Location: Leamington Spa, Warks, UK
|
Posted: Thu Jan 09, 2003 10:25 pm Post subject: |
|
|
if you really must run a script as root, try using runsuid - this lets you configure which users are allowed to run which script as which other user, and handles the wrapper for you.
Really, really do check the script eleventeen times, as well as your web site, to make sure you know you're not going to leave a bigger security hole than you need to though. _________________ "Pokey, are you drunk on love?"
"Yes. Also whiskey. But mostly love... and whiskey." |
|
Back to top |
|
|
jukka Apprentice
Joined: 06 Jun 2002 Posts: 249 Location: Zurich, Switzerland
|
Posted: Thu Jan 09, 2003 10:30 pm Post subject: |
|
|
GurliGebis wrote: | Script is running as 81 (apache) |
i thought you were using a wrapper... but you don't.
Quote: | Can I do it with sudo? |
maybe this thread helps...
seriously: with sudo, you would have to allow apache to execute commands as root without a password. i think that's not a very good idea...
use the tiny c wrapper i posted two days ago (in this thread). put the binary in your web servers cgi directory, change the file owner to root and the group to your web servers primary gid. then set the file mode to 4750.
if the cgi (the wrapper) is executed, it runs with an effective user id of 0 --> it runs your script as root --> your script is allowed to change iptables rules (because it's root). that's it. lucky? |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Thu Jan 09, 2003 10:31 pm Post subject: |
|
|
I got it working using SUID, but I would like to know, which things apache should have the rights to, to run:
/etc/init.d/iptables restart. _________________ Queen Rocks. |
|
Back to top |
|
|
GurliGebis Retired Dev
Joined: 08 Aug 2002 Posts: 509
|
Posted: Thu Jan 09, 2003 10:32 pm Post subject: |
|
|
Problem there, i used the wrapper to call the script, and the script returns EUID 81. _________________ Queen Rocks. |
|
Back to top |
|
|
|