January 4th, 2012, 05:32 PM
Running cgi-scripts (python) as root? (maybe suexec?)
I for the life of me can't get my webserver to run a python script correctly as root... obviously there is big security concerns but this python scripts runs on scapy which requires promiscuous access on the ethernet interfaces to fire and receive packets so I need root.
I see two options from reading online-
1) I can run the whole webserver as root, which is a big security hole, even the flag to enable this has a funny name but I can't even get this to work... I downloaded a recent version of httpd (whole thing, not just binaries) then did a->
env CFLAGS="-Wall -DBIG_SECURITY_HOLE" ./configure
then a #make then a #make install
which didn't work it still came up with the error (when i set user and group to root) the error
so I figured this was just a user error... so I used this website-> http://code.google.com/p/mod-suid2/
Syntax error on line 228 of /etc/httpd/conf/httpd.conf:
Error:\tApache has not been designed to serve pages while\n\trunning as root. There are known race conditions that\n\twill allow any local user to read any file on the system.\n\tIf you still desire to serve pages as root then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n\tand then rebuild the server.\n\tIt is strongly suggested that you instead modify the User\n\tdirective in your httpd.conf file to list a non-root\n\tuser.\n
and did this
got the same error that I did above...
env CFLAGS="-DBIG_SECURITY_HOLE" ./configure && make
# make install
so here is option 2
which sounds awesome, but now after a day of wasting time I can't even find a great example... and I am not sure this will allow root anyway, maybe just another user.... is this the way to go? has someone had this type of problem before?
HELP IS MUCH APPRECAITED
January 4th, 2012, 09:50 PM
Can you not run the script as some limited user that's part of (that one user group that allows network access) group?
January 4th, 2012, 11:18 PM
In the past when I've needed to do something like this I generally write a wrapper program in C for my script and then use the SUID bit on the C program to make it run as root. You just need to know enough C to handle the input and output of the script.
January 5th, 2012, 10:14 AM
I have been trying that it does not seem to work, someone on the scapy mailer gave me some 'patch' that might a regular user to do the functions I want... I am cloning the virtual machine right now b/c i don't want to ruin my program and environment before I start editing every little file....
Originally Posted by requinix
January 5th, 2012, 10:16 AM
do you have any good resources I can read up on the SUID bit? and maybe an example c program? this might be the way I have to go I am trying a scapy patch right now that might make it act more normal (and run w/o root)
Originally Posted by E-Oreo
January 5th, 2012, 12:21 PM
setuid is a permission bit on a file, like read, write, and execute. It isn't part of a program.
/bin/su is a program with that bit set.
It will always run as the root user, regardless of who is actually running it.
$ ls -l /bin/su
-rwsr-xr-x 1 root root (size) (date) /bin/su
January 5th, 2012, 10:33 PM
To clarify that, su always runs as the root user because the su binary is owned by the root user. The setuid bit causes the program to always run as the user who owns the binary; thus, if you want your program to run as root, root must be the owner of the binary.
int main(int argc, char* argv)
char cmd = "/usr/bin/php /dir/phpfile.php";