accessing smbpasswd from PHP

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

don stevo
Forum Newbie
Posts: 5
Joined: Wed Jan 21, 2004 7:04 am
Contact:

accessing smbpasswd from PHP

Post by don stevo »

Hi there,

Well, i'm in for a huge problem...

First to say ... if i can't get this stuff fixed in 3 weeks, i can kiss my graduation doobye... So please help me ! :cry:

Well ... It is as follows:
I have to create a PHP webinterface to do the administration of a Samba network (Linux and Windows hosts / servers).

I have a .php page where i have a select - tag ... In this select list, i have to list all users from the smbpasswd file.

The complete site is on a server to which i connect through a terminal with ssh root@IP_ADDRESS

If i go to the page, i get the following error:
Warning: file("/etc/samba/smbpasswd") - Permission denied in /var/www/system/mainapi.php on line 26

So i can't even access the file...
I really need this ... i have 6 weeks of work at a company with a companion to produce this webinterface...if i don't succeed (and i'm completely stuck now) i won't graduate...i am searching for info for over 2 days now and can't find anything that can help me.


pls help, ty
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

You cant access it because the permissions don't allow it.

Possible solutions:

- Change the permissions of /etc/samba/smbpasswd to allow apache to read it
- Change the user apache runs under to root
- Change the owner of /etc/samba/smbpasswd to apache

All three are completely, totally, absolutely insecure things to do. You are *asking* for your box to be hacked if you do any of the above, and it will be very easy to do so.

However, if you simply need to accomplish the task as described, those are the answers.

Better would be to not use the smbpasswd file - there are other ways to interface that would accomplish the OVERALL goal of a php-based management system, and still retain some security.
Last edited by Roja on Thu Sep 29, 2005 9:06 pm, edited 1 time in total.
don stevo
Forum Newbie
Posts: 5
Joined: Wed Jan 21, 2004 7:04 am
Contact:

Post by don stevo »

Well :-)

thx for your reply, but my bosses told me that i can not use any f those # solutions...

I can t change anything on the smbpasswd file permissions...
no permissions, not the owner nor the group

He told me something about changing to su with sudo -S, that way i won t have a password prompt... and something about the sudoers file that i have to check the manpage off...

can you tell me something about those possibilities?


thx already for your auick reply
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

don stevo wrote:Well :-)

thx for your reply, but my bosses told me that i can not use any f those # solutions...

I can t change anything on the smbpasswd file permissions...
no permissions, not the owner nor the group

He told me something about changing to su with sudo -S, that way i won t have a password prompt... and something about the sudoers file that i have to check the manpage off...

can you tell me something about those possibilities?


thx already for your auick reply
Its an impossibility.

Let me explain.

The /etc/smbpasswd file is owned by root, readable only by root (usually - 90% of the time).

PHP runs from apache, and thus has apache's user/permissions.

Apache runs as user "Apache" or "httpd" or "nobody", depending on your distribution.

So, your script, running as "apache" is asking to read a file owned by root, readable only by root.

There is no solution to the problem beyond those I posted. One of the situations has to change.. it is a technical impossibilty without doing so.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

What they meant with sudo etc is this (or at least i think it is):

-)
sudo is way for normal users to launch a script af is they are the super user (root).

-)
So you make sure your script is absolutely free of bugs, and call it from your script on the webserver.

-)
imho: Every company that respects itself has already thrown smbpasswd files out and authenticates against ldap. Writing a script that interfaces with the ldap server would have been an option then.
don stevo
Forum Newbie
Posts: 5
Joined: Wed Jan 21, 2004 7:04 am
Contact:

Post by don stevo »

they also work on LDAP, but to make our work easier (i don t know the english word for it, but it s work arranged by school...i have a certain assignment at a company which have to be completed in 6 weeks)

we have to use smbpasswd so that we don t have to do any other install or confi besides the samba setup and the php site at the company which wants to use the site.


so, we got to get into the smbpasswd file, without changing the permissions via chmod, chown or chgrp.

it s something with the sudoers file and the smbpasswd -S command...but still got to look that one up what it does.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

To use sudo, you would have to program the script to:

- Issue a sudo command, with the root password saved in a file which will be readable by world. This is as idiotic as the other changes suggested.

- Then have the script issue the command - now as root - from the webserver. Again, the webserver will be doing things as root - one single tiny mistake in the script, webserver security, daemons, installed software, ANYTHING, and the attacker will quickly have root access

To do both, you will have to use exec() calls - somethign that would be disabled in safemode. Without safemode enabled, any site hosted on that machine would have access to not only run that command, but also to read the file containing the root password.

Further, if they are able to compromise any script, cgi, or anything else that the webserver has installed, they will be the webserver user, and will be able to read the root password.

All in all, its every bit as insecure as the first options I listed.. moreso in fact.

Its a bad, bad, bad, BAD idea. You should tell them how completely insecure this will make their machine, and refuse to implement it without signing a contract saying they wont sue you, hold you liable, etc for the breach that is likely to happen when someone breaks in through that. It covers your butt, and it shows them JUST how seriously insecure that is.

I honestly wouldnt ever implement that - legal waiver or not!
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

Ya know this has been done many times before... Why not take a look at SWAT, the open source web interface that comes with Samba ? My samba setup does not use smbpasswd files, so I can't help much.
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

Btw: If PEAR is installed with PHP, you can use the File_SMBPasswd::printAccounts() function.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Pyrite wrote:Btw: If PEAR is installed with PHP, you can use the File_SMBPasswd::printAccounts() function.
Interesting! I had never seen that before!

Doesnt change the fact that he has to change the perms on the file, or the user apache is running as though. :)
don stevo
Forum Newbie
Posts: 5
Joined: Wed Jan 21, 2004 7:04 am
Contact:

Post by don stevo »

well :-)

we fixed the problem (i guess) on a fairly easy way...

just edit the sudoers file with visudo

our apache user at work is www-date

so adding...

www-data ALL = NOPASSWD: /bin/cat

does the job

then we can do this in the script

$users = shell_exec("sodu cat /etc/samba/smbpasswd");

and get the entire file, tokenize it on \n and split it into fields...

worked :-)

thx for your replies
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

Roja wrote:Doesnt change the fact that he has to change the perms on the file, or the user apache is running as though. :)
You sure about that? :D
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

You sure about that?
Sorta. I mentioned the exceptions in my post before that. I simply find it completely inconceivable that people would setup a web script with the ability to cat a file on the system as root.

Honestly, thats almost worse.. Now if they can compromise the webserver, or get webserver priv's from another script thats poorly programmed on the site, they can cat the shadow password file, and have root.

Or they could cat the ssh private keys (I presume that they use SSH, and probably have two-way trusts), and have root that way.

Or they could..

You get the idea. This is such a bad idea, I would never implement it. Not under contract, not under a liability disclaimer, not at all.

Its a good thing he didnt post the url/ip, because its just waiting to be hacked.
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

Yea but it could be used on a machine that is not connected to the internet, or a network not connected to the internet for that matter. Then it is only network security issue, in which case, a good host allow system would be fine. But I don't know why anyone would not use SWAT or an already built nicely done samba web interface. But then again, its for a class.

Btw, I ment you sure about needing to modify the permissions of the file to use PEAR's samba functionality...
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Pyrite wrote: Btw, I ment you sure about needing to modify the permissions of the file to use PEAR's samba functionality...
Oh. No, I'm not sure (as I said, I had never seen it before), but I looked through the code in CVS, and it would appear to follow all the normal apache/php permissions rules.. I didnt see any "dark magic" that would allow them to get around that.

Why, was I mistaken? Can it in fact allow the webserver to access a file owned by root? If so, how?
Post Reply