chroot

Whether you are using Linux on the desktop or as a server, it's still good that you're using Linux. Linux related questions go here.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

chroot

Post by alex.barylski »

I need to chroot an instance of a PHP script, is this possible without invoking the script as root?

I believe this is what setuid is all about, but if memory serves me correctly, it doesn't apply to scripts only binaries?

Basically I am executing a PHP script from the CLI, which itself is PHP script running as Apache.

Ideas?
cptnwinky
Forum Commoner
Posts: 84
Joined: Sat Dec 27, 2008 10:58 am
Location: Williamstown, MA

Re: chroot

Post by cptnwinky »

I think this might help you...

http://httpd.apache.org/docs/1.3/suexec.html
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: chroot

Post by VladSun »

cptnwinky wrote:I think this might help you...

http://httpd.apache.org/docs/1.3/suexec.html
# Is the target user NOT superuser?

Presently, suEXEC does not allow 'root' to execute CGI/SSI programs.
@PCSpectra
Use sudo (properly configured) with arguments check. Setting SUID flag on is not a good idea - there are programs which will refuse to run if you are not really root, even they had been suid-ed.
There are 10 types of people in this world, those who understand binary and those who don't
cptnwinky
Forum Commoner
Posts: 84
Joined: Sat Dec 27, 2008 10:58 am
Location: Williamstown, MA

Re: chroot

Post by cptnwinky »

I don't think Apache will just let him call sudo from a script, in fact, I'm fairly sure that Apache is set up so that this can never happen.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: chroot

Post by VladSun »

cptnwinky wrote:I don't think Apache will just let him call sudo from a script, in fact, I'm fairly sure that Apache is set up so that this can never happen.
Apache will not "call" it, instead it will call the PHP interpreter to execute the script, and I'm fairly sure that sudo commands work ;)

Try this ;)

Code: Select all

echo system('/usr/sbin/sudo ping yahoo.com -c4 -f')
... and this:

Code: Select all

echo system('ping yahoo.com -c4 -f')
There are 10 types of people in this world, those who understand binary and those who don't
cptnwinky
Forum Commoner
Posts: 84
Joined: Sat Dec 27, 2008 10:58 am
Location: Williamstown, MA

Re: chroot

Post by cptnwinky »

The first one didn't work. Infact, all it returns is 127 (which I'm guessing is an error code) on my ubuntu 8.10 server box. Without sudo though ping works just fine.

Code: Select all

 
error_reporting(E_ALL);
$var = system('/usr/sbin/sudo ping yahoo.com -c4 -f', $return);
 
if($var) {
    echo $var;
}else{
    echo $return;
}
 
If it's being run from the web, through apache then apache is calling the php interpreter and I'm positive that it will only allow the script to be run as the same user as apache. Now using CLI the sudo command will work because then you can pass the required input (admin password) to it. Through apache though I don't think there is a way to send the sudo password along after the sudo command is run. Did you try that code? Did you get a different result?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: chroot

Post by VladSun »

cptnwinky wrote:The first one didn't work. Infact, all it returns is 127 (which I'm guessing is an error code) on my ubuntu 8.10 server box.
1. Check if it's the right path - /usr/sbin/sudo
2. Edit! your /etc/sudoers and configure the Apache user rights properly
cptnwinky wrote:Without sudo though ping works just fine.
I don't believe you - http://www.rt.com/man/ping.8.html
-f Flood ping. Outputs packets as fast as they come back or one
hundred times per second, whichever is more. For every
ECHO_REQUEST sent a period ``.'' is printed, while for ever
ECHO_REPLY received a backspace is printed. This provides a
rapid display of how many packets are being dropped. Only the
super-user may use this option.
This can be very hard on a net-
work and should be used with caution.
cptnwinky wrote:If it's being run from the web, through apache then apache is calling the php interpreter and I'm positive that it will only allow the script to be run as the same user as apache.
Do you know what sudo is used for???
cptnwinky wrote:Now using CLI the sudo command will work because then you can pass the required input (admin password) to it. Through apache though I don't think there is a way to send the sudo password along after the sudo command is run.
You should read some manuals:

Code: Select all

man sudoers
cptnwinky wrote:Did you try that code? Did you get a different result?
Yes, I did ... many times.
I've already described the expected results ;)
There are 10 types of people in this world, those who understand binary and those who don't
cptnwinky
Forum Commoner
Posts: 84
Joined: Sat Dec 27, 2008 10:58 am
Location: Williamstown, MA

Re: chroot

Post by cptnwinky »

I'm sorry you think I'm lying; its a shame, I was just describing the results I got from the above command.

Since sudo is in my path just doing system('sudo ping yahoo.com -c4 -f') produces the desired result from the command line, the result being...

Code: Select all

 
dave@server:/var/www$ php test.php
[sudo] password for dave:
PING yahoo.com (68.180.206.184) 56(84) bytes of data.
 
--- yahoo.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 36ms
rtt min/avg/max/mdev = 179.194/187.525/192.937/5.126 ms, pipe 4, ipg/ewma 12.244/182.815 ms
 
after requesting the password. From the web server, like I said, it produces no output at all. I have to capture the output in the $return variable like above and like I said, that has produced both the number 127 and 1 (when I just did it again) as output to my browser.

Most of all, I would never put the apache user in the suoders group (or wheel, depending on your OS). Sure, it can be done so as to limit what that user has access to actually run but it just feels like an unnecessary risk, especially considering this is exactly why the apache project created suexec. To solve this problem in a better way.
Do you know what sudo is used for???
You should read some manuals:
Well, since were telling each other what we should be doing; you should try not to come off so arrogant. To be called a liar and treated as though I were an idiot is unnecessary and uncalled for and it certainly is giving me a bad impression of this forum. I came here so that I could help others out and participate in a friendly way. Believe it or not I actually am quite knowledgeable; do I think I know everything though? No, I'm open to criticism of my ideas in pursuit of helping the op solve his problem but there is no need to make it personal.

Now, I've had my say and you've had yours. Let us put it behind us and just try to help the op.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: chroot

Post by VladSun »

cptnwinky wrote:I'm sorry you think I'm lying; its a shame, I was just describing the results I got from the above command.
I had not intention to insult you or anything like that. English is not my native language, so if you feel like I should apologize, then I'll. I'm sorry!

Now back to the topic:

Code: Select all

vladsun@designer:/$ id
uid=1000(vladsun) gid=1000(vladsun) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(vladsun)
vladsun@designer:/$ ping yahoo.com -c4 -f
PING yahoo.com (68.180.206.184) 56(84) bytes of data.
ping: cannot flood; minimal interval, allowed for user, is 200ms
vladsun@designer:/$ which ping
/bin/ping
vladsun@designer:/$ ls -l /bin/ping
-rwsr-xr-x 1 root root 30736 2007-01-31 01:10 /bin/ping
So, you see - /bin/ping is suid-ed (and that's how it should be in order to have normal users using it) but it still checks if you are really root ( by using getuid() ) and it refuses to be executed with the -f option. If you are root:

Code: Select all

root@designer:/#  ping yahoo.com -c4 -f
PING yahoo.com (206.190.60.37) 56(84) bytes of data.
 
--- yahoo.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 36ms
rtt min/avg/max/mdev = 126.330/128.406/131.477/1.890 ms, pipe 4, ipg/ewma 12.306/130.151 ms
then there are no problems of course.

That's why one should use sudo for executing this command. And sudo can be configured the way that it will not ask for password. E.g.:

/etc/sudoers

Code: Select all

Cmnd_Alias      NETWORKING = /bin/ping, ifconfig [0-9]* eth0
 
root    ALL=(ALL) ALL
www-data ALL=NOPASSWD:NETWORKING
So, except for that the Apache user is the owner (parent) of any PHP process executed by requesting a *.php page, it has nothing to do with any system call (like system(), exec(), shellexec() etc.). Most important - Apache doesn't know if your PHP script has used them (with or without call to sudo).
I think you are mixing the suexec and sudo stuff.

Another evidence for what I'm saying:

Code: Select all

root@designer:/# cat 1.php
<?php
echo system('ping yahoo.com -c4 -f');
 
root@designer:/# php -q 1.php
PING yahoo.com (68.180.206.184) 56(84) bytes of data.
 
--- yahoo.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 34ms
rtt min/avg/max/mdev = 207.649/209.201/211.136/1.634 ms, pipe 4, ipg/ewma 11.404/210.283 ms
rtt min/avg/max/mdev = 207.649/209.201/211.136/1.634 ms, pipe 4, ipg/ewma 11.404/210.283 ms
root@designer:/# su www-data
sh-3.1$ php -q 1.php
PING yahoo.com (206.190.60.37) 56(84) bytes of data.
ping: cannot flood; minimal interval, allowed for user, is 200ms
PING yahoo.com (206.190.60.37) 56(84) bytes of data.
Again, my apologizes.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: chroot

Post by VladSun »

Shell we continue the discussion?
cptnwinky?
PCSpectra?
There are 10 types of people in this world, those who understand binary and those who don't
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: chroot

Post by alex.barylski »

Eventually, yes...but for now you've answered my questions and I'm off doing my thing. :P

Sooner or later though I'm sure I'll have to BUMP this topic with some new quesitons.

Cheers,
Alex
Post Reply