chroot
Moderator: General Moderators
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
chroot
I need to chroot an instance of a PHP script, is this possible without invoking the script as root?
I believe this is what setuid is all about, but if memory serves me correctly, it doesn't apply to scripts only binaries?
Basically I am executing a PHP script from the CLI, which itself is PHP script running as Apache.
Ideas?
I believe this is what setuid is all about, but if memory serves me correctly, it doesn't apply to scripts only binaries?
Basically I am executing a PHP script from the CLI, which itself is PHP script running as Apache.
Ideas?
Re: chroot
@PCSpectra# Is the target user NOT superuser?
Presently, suEXEC does not allow 'root' to execute CGI/SSI programs.
Use sudo (properly configured) with arguments check. Setting SUID flag on is not a good idea - there are programs which will refuse to run if you are not really root, even they had been suid-ed.
There are 10 types of people in this world, those who understand binary and those who don't
Re: chroot
I don't think Apache will just let him call sudo from a script, in fact, I'm fairly sure that Apache is set up so that this can never happen.
Re: chroot
Apache will not "call" it, instead it will call the PHP interpreter to execute the script, and I'm fairly sure that sudo commands workcptnwinky wrote:I don't think Apache will just let him call sudo from a script, in fact, I'm fairly sure that Apache is set up so that this can never happen.
Try this
Code: Select all
echo system('/usr/sbin/sudo ping yahoo.com -c4 -f')Code: Select all
echo system('ping yahoo.com -c4 -f')There are 10 types of people in this world, those who understand binary and those who don't
Re: chroot
The first one didn't work. Infact, all it returns is 127 (which I'm guessing is an error code) on my ubuntu 8.10 server box. Without sudo though ping works just fine.
If it's being run from the web, through apache then apache is calling the php interpreter and I'm positive that it will only allow the script to be run as the same user as apache. Now using CLI the sudo command will work because then you can pass the required input (admin password) to it. Through apache though I don't think there is a way to send the sudo password along after the sudo command is run. Did you try that code? Did you get a different result?
Code: Select all
error_reporting(E_ALL);
$var = system('/usr/sbin/sudo ping yahoo.com -c4 -f', $return);
if($var) {
echo $var;
}else{
echo $return;
}
Re: chroot
1. Check if it's the right path - /usr/sbin/sudocptnwinky wrote:The first one didn't work. Infact, all it returns is 127 (which I'm guessing is an error code) on my ubuntu 8.10 server box.
2. Edit! your /etc/sudoers and configure the Apache user rights properly
I don't believe you - http://www.rt.com/man/ping.8.htmlcptnwinky wrote:Without sudo though ping works just fine.
-f Flood ping. Outputs packets as fast as they come back or one
hundred times per second, whichever is more. For every
ECHO_REQUEST sent a period ``.'' is printed, while for ever
ECHO_REPLY received a backspace is printed. This provides a
rapid display of how many packets are being dropped. Only the
super-user may use this option. This can be very hard on a net-
work and should be used with caution.
Do you know what sudo is used for???cptnwinky wrote:If it's being run from the web, through apache then apache is calling the php interpreter and I'm positive that it will only allow the script to be run as the same user as apache.
You should read some manuals:cptnwinky wrote:Now using CLI the sudo command will work because then you can pass the required input (admin password) to it. Through apache though I don't think there is a way to send the sudo password along after the sudo command is run.
Code: Select all
man sudoersYes, I did ... many times.cptnwinky wrote:Did you try that code? Did you get a different result?
I've already described the expected results
There are 10 types of people in this world, those who understand binary and those who don't
Re: chroot
I'm sorry you think I'm lying; its a shame, I was just describing the results I got from the above command.
Since sudo is in my path just doing system('sudo ping yahoo.com -c4 -f') produces the desired result from the command line, the result being...
after requesting the password. From the web server, like I said, it produces no output at all. I have to capture the output in the $return variable like above and like I said, that has produced both the number 127 and 1 (when I just did it again) as output to my browser.
Most of all, I would never put the apache user in the suoders group (or wheel, depending on your OS). Sure, it can be done so as to limit what that user has access to actually run but it just feels like an unnecessary risk, especially considering this is exactly why the apache project created suexec. To solve this problem in a better way.
Now, I've had my say and you've had yours. Let us put it behind us and just try to help the op.
Since sudo is in my path just doing system('sudo ping yahoo.com -c4 -f') produces the desired result from the command line, the result being...
Code: Select all
dave@server:/var/www$ php test.php
[sudo] password for dave:
PING yahoo.com (68.180.206.184) 56(84) bytes of data.
--- yahoo.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 36ms
rtt min/avg/max/mdev = 179.194/187.525/192.937/5.126 ms, pipe 4, ipg/ewma 12.244/182.815 ms
Most of all, I would never put the apache user in the suoders group (or wheel, depending on your OS). Sure, it can be done so as to limit what that user has access to actually run but it just feels like an unnecessary risk, especially considering this is exactly why the apache project created suexec. To solve this problem in a better way.
Do you know what sudo is used for???
Well, since were telling each other what we should be doing; you should try not to come off so arrogant. To be called a liar and treated as though I were an idiot is unnecessary and uncalled for and it certainly is giving me a bad impression of this forum. I came here so that I could help others out and participate in a friendly way. Believe it or not I actually am quite knowledgeable; do I think I know everything though? No, I'm open to criticism of my ideas in pursuit of helping the op solve his problem but there is no need to make it personal.You should read some manuals:
Now, I've had my say and you've had yours. Let us put it behind us and just try to help the op.
Re: chroot
I had not intention to insult you or anything like that. English is not my native language, so if you feel like I should apologize, then I'll. I'm sorry!cptnwinky wrote:I'm sorry you think I'm lying; its a shame, I was just describing the results I got from the above command.
Now back to the topic:
Code: Select all
vladsun@designer:/$ id
uid=1000(vladsun) gid=1000(vladsun) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(vladsun)
vladsun@designer:/$ ping yahoo.com -c4 -f
PING yahoo.com (68.180.206.184) 56(84) bytes of data.
ping: cannot flood; minimal interval, allowed for user, is 200ms
vladsun@designer:/$ which ping
/bin/ping
vladsun@designer:/$ ls -l /bin/ping
-rwsr-xr-x 1 root root 30736 2007-01-31 01:10 /bin/pingCode: Select all
root@designer:/# ping yahoo.com -c4 -f
PING yahoo.com (206.190.60.37) 56(84) bytes of data.
--- yahoo.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 36ms
rtt min/avg/max/mdev = 126.330/128.406/131.477/1.890 ms, pipe 4, ipg/ewma 12.306/130.151 msThat's why one should use sudo for executing this command. And sudo can be configured the way that it will not ask for password. E.g.:
/etc/sudoers
Code: Select all
Cmnd_Alias NETWORKING = /bin/ping, ifconfig [0-9]* eth0
root ALL=(ALL) ALL
www-data ALL=NOPASSWD:NETWORKINGI think you are mixing the suexec and sudo stuff.
Another evidence for what I'm saying:
Code: Select all
root@designer:/# cat 1.php
<?php
echo system('ping yahoo.com -c4 -f');
root@designer:/# php -q 1.php
PING yahoo.com (68.180.206.184) 56(84) bytes of data.
--- yahoo.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 34ms
rtt min/avg/max/mdev = 207.649/209.201/211.136/1.634 ms, pipe 4, ipg/ewma 11.404/210.283 ms
rtt min/avg/max/mdev = 207.649/209.201/211.136/1.634 ms, pipe 4, ipg/ewma 11.404/210.283 ms
root@designer:/# su www-data
sh-3.1$ php -q 1.php
PING yahoo.com (206.190.60.37) 56(84) bytes of data.
ping: cannot flood; minimal interval, allowed for user, is 200ms
PING yahoo.com (206.190.60.37) 56(84) bytes of data.There are 10 types of people in this world, those who understand binary and those who don't
Re: chroot
Shell we continue the discussion?
cptnwinky?
PCSpectra?
cptnwinky?
PCSpectra?
There are 10 types of people in this world, those who understand binary and those who don't
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
Re: chroot
Eventually, yes...but for now you've answered my questions and I'm off doing my thing. 
Sooner or later though I'm sure I'll have to BUMP this topic with some new quesitons.
Cheers,
Alex
Sooner or later though I'm sure I'll have to BUMP this topic with some new quesitons.
Cheers,
Alex