Page 1 of 1

chroot

Posted: Sat Dec 27, 2008 9:10 pm
by alex.barylski
I need to chroot an instance of a PHP script, is this possible without invoking the script as root?

I believe this is what setuid is all about, but if memory serves me correctly, it doesn't apply to scripts only binaries?

Basically I am executing a PHP script from the CLI, which itself is PHP script running as Apache.

Ideas?

Re: chroot

Posted: Sun Dec 28, 2008 1:03 am
by cptnwinky
I think this might help you...

http://httpd.apache.org/docs/1.3/suexec.html

Re: chroot

Posted: Sun Dec 28, 2008 7:43 am
by VladSun
cptnwinky wrote:I think this might help you...

http://httpd.apache.org/docs/1.3/suexec.html
# Is the target user NOT superuser?

Presently, suEXEC does not allow 'root' to execute CGI/SSI programs.
@PCSpectra
Use sudo (properly configured) with arguments check. Setting SUID flag on is not a good idea - there are programs which will refuse to run if you are not really root, even they had been suid-ed.

Re: chroot

Posted: Sun Dec 28, 2008 9:23 am
by cptnwinky
I don't think Apache will just let him call sudo from a script, in fact, I'm fairly sure that Apache is set up so that this can never happen.

Re: chroot

Posted: Sun Dec 28, 2008 12:00 pm
by VladSun
cptnwinky wrote:I don't think Apache will just let him call sudo from a script, in fact, I'm fairly sure that Apache is set up so that this can never happen.
Apache will not "call" it, instead it will call the PHP interpreter to execute the script, and I'm fairly sure that sudo commands work ;)

Try this ;)

Code: Select all

echo system('/usr/sbin/sudo ping yahoo.com -c4 -f')
... and this:

Code: Select all

echo system('ping yahoo.com -c4 -f')

Re: chroot

Posted: Sun Dec 28, 2008 12:19 pm
by cptnwinky
The first one didn't work. Infact, all it returns is 127 (which I'm guessing is an error code) on my ubuntu 8.10 server box. Without sudo though ping works just fine.

Code: Select all

 
error_reporting(E_ALL);
$var = system('/usr/sbin/sudo ping yahoo.com -c4 -f', $return);
 
if($var) {
    echo $var;
}else{
    echo $return;
}
 
If it's being run from the web, through apache then apache is calling the php interpreter and I'm positive that it will only allow the script to be run as the same user as apache. Now using CLI the sudo command will work because then you can pass the required input (admin password) to it. Through apache though I don't think there is a way to send the sudo password along after the sudo command is run. Did you try that code? Did you get a different result?

Re: chroot

Posted: Sun Dec 28, 2008 2:58 pm
by VladSun
cptnwinky wrote:The first one didn't work. Infact, all it returns is 127 (which I'm guessing is an error code) on my ubuntu 8.10 server box.
1. Check if it's the right path - /usr/sbin/sudo
2. Edit! your /etc/sudoers and configure the Apache user rights properly
cptnwinky wrote:Without sudo though ping works just fine.
I don't believe you - http://www.rt.com/man/ping.8.html
-f Flood ping. Outputs packets as fast as they come back or one
hundred times per second, whichever is more. For every
ECHO_REQUEST sent a period ``.'' is printed, while for ever
ECHO_REPLY received a backspace is printed. This provides a
rapid display of how many packets are being dropped. Only the
super-user may use this option.
This can be very hard on a net-
work and should be used with caution.
cptnwinky wrote:If it's being run from the web, through apache then apache is calling the php interpreter and I'm positive that it will only allow the script to be run as the same user as apache.
Do you know what sudo is used for???
cptnwinky wrote:Now using CLI the sudo command will work because then you can pass the required input (admin password) to it. Through apache though I don't think there is a way to send the sudo password along after the sudo command is run.
You should read some manuals:

Code: Select all

man sudoers
cptnwinky wrote:Did you try that code? Did you get a different result?
Yes, I did ... many times.
I've already described the expected results ;)

Re: chroot

Posted: Sun Dec 28, 2008 4:26 pm
by cptnwinky
I'm sorry you think I'm lying; its a shame, I was just describing the results I got from the above command.

Since sudo is in my path just doing system('sudo ping yahoo.com -c4 -f') produces the desired result from the command line, the result being...

Code: Select all

 
dave@server:/var/www$ php test.php
[sudo] password for dave:
PING yahoo.com (68.180.206.184) 56(84) bytes of data.
 
--- yahoo.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 36ms
rtt min/avg/max/mdev = 179.194/187.525/192.937/5.126 ms, pipe 4, ipg/ewma 12.244/182.815 ms
 
after requesting the password. From the web server, like I said, it produces no output at all. I have to capture the output in the $return variable like above and like I said, that has produced both the number 127 and 1 (when I just did it again) as output to my browser.

Most of all, I would never put the apache user in the suoders group (or wheel, depending on your OS). Sure, it can be done so as to limit what that user has access to actually run but it just feels like an unnecessary risk, especially considering this is exactly why the apache project created suexec. To solve this problem in a better way.
Do you know what sudo is used for???
You should read some manuals:
Well, since were telling each other what we should be doing; you should try not to come off so arrogant. To be called a liar and treated as though I were an idiot is unnecessary and uncalled for and it certainly is giving me a bad impression of this forum. I came here so that I could help others out and participate in a friendly way. Believe it or not I actually am quite knowledgeable; do I think I know everything though? No, I'm open to criticism of my ideas in pursuit of helping the op solve his problem but there is no need to make it personal.

Now, I've had my say and you've had yours. Let us put it behind us and just try to help the op.

Re: chroot

Posted: Mon Dec 29, 2008 4:23 am
by VladSun
cptnwinky wrote:I'm sorry you think I'm lying; its a shame, I was just describing the results I got from the above command.
I had not intention to insult you or anything like that. English is not my native language, so if you feel like I should apologize, then I'll. I'm sorry!

Now back to the topic:

Code: Select all

vladsun@designer:/$ id
uid=1000(vladsun) gid=1000(vladsun) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(vladsun)
vladsun@designer:/$ ping yahoo.com -c4 -f
PING yahoo.com (68.180.206.184) 56(84) bytes of data.
ping: cannot flood; minimal interval, allowed for user, is 200ms
vladsun@designer:/$ which ping
/bin/ping
vladsun@designer:/$ ls -l /bin/ping
-rwsr-xr-x 1 root root 30736 2007-01-31 01:10 /bin/ping
So, you see - /bin/ping is suid-ed (and that's how it should be in order to have normal users using it) but it still checks if you are really root ( by using getuid() ) and it refuses to be executed with the -f option. If you are root:

Code: Select all

root@designer:/#  ping yahoo.com -c4 -f
PING yahoo.com (206.190.60.37) 56(84) bytes of data.
 
--- yahoo.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 36ms
rtt min/avg/max/mdev = 126.330/128.406/131.477/1.890 ms, pipe 4, ipg/ewma 12.306/130.151 ms
then there are no problems of course.

That's why one should use sudo for executing this command. And sudo can be configured the way that it will not ask for password. E.g.:

/etc/sudoers

Code: Select all

Cmnd_Alias      NETWORKING = /bin/ping, ifconfig [0-9]* eth0
 
root    ALL=(ALL) ALL
www-data ALL=NOPASSWD:NETWORKING
So, except for that the Apache user is the owner (parent) of any PHP process executed by requesting a *.php page, it has nothing to do with any system call (like system(), exec(), shellexec() etc.). Most important - Apache doesn't know if your PHP script has used them (with or without call to sudo).
I think you are mixing the suexec and sudo stuff.

Another evidence for what I'm saying:

Code: Select all

root@designer:/# cat 1.php
<?php
echo system('ping yahoo.com -c4 -f');
 
root@designer:/# php -q 1.php
PING yahoo.com (68.180.206.184) 56(84) bytes of data.
 
--- yahoo.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 34ms
rtt min/avg/max/mdev = 207.649/209.201/211.136/1.634 ms, pipe 4, ipg/ewma 11.404/210.283 ms
rtt min/avg/max/mdev = 207.649/209.201/211.136/1.634 ms, pipe 4, ipg/ewma 11.404/210.283 ms
root@designer:/# su www-data
sh-3.1$ php -q 1.php
PING yahoo.com (206.190.60.37) 56(84) bytes of data.
ping: cannot flood; minimal interval, allowed for user, is 200ms
PING yahoo.com (206.190.60.37) 56(84) bytes of data.
Again, my apologizes.

Re: chroot

Posted: Mon Jan 05, 2009 5:48 pm
by VladSun
Shell we continue the discussion?
cptnwinky?
PCSpectra?

Re: chroot

Posted: Sat Jan 17, 2009 1:38 am
by alex.barylski
Eventually, yes...but for now you've answered my questions and I'm off doing my thing. :P

Sooner or later though I'm sure I'll have to BUMP this topic with some new quesitons.

Cheers,
Alex