#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2012
    Posts
    3
    Rep Power
    0

    Running cgi-scripts (python) as root? (maybe suexec?)


    I for the life of me can't get my webserver to run a python script correctly as root... obviously there is big security concerns but this python scripts runs on scapy which requires promiscuous access on the ethernet interfaces to fire and receive packets so I need root.

    I see two options from reading online-

    1) I can run the whole webserver as root, which is a big security hole, even the flag to enable this has a funny name but I can't even get this to work... I downloaded a recent version of httpd (whole thing, not just binaries) then did a->

    env CFLAGS="-Wall -DBIG_SECURITY_HOLE" ./configure
    then a #make then a #make install

    which didn't work it still came up with the error (when i set user and group to root) the error

    Code:
    Syntax error on line 228 of /etc/httpd/conf/httpd.conf:
    Error:\tApache has not been designed to serve pages while\n\trunning as root.  There are known race conditions that\n\twill allow any local user to read any file on the system.\n\tIf you still desire to serve pages as root then\n\tadd -DBIG_SECURITY_HOLE to the CFLAGS env variable\n\tand then rebuild the server.\n\tIt is strongly suggested that you instead modify the User\n\tdirective in your httpd.conf file to list a non-root\n\tuser.\n
    so I figured this was just a user error... so I used this website-> http://code.google.com/p/mod-suid2/

    and did this
    Code:
    env CFLAGS="-DBIG_SECURITY_HOLE" ./configure && make
    # make install
    got the same error that I did above...

    so here is option 2

    2) SUEXEC

    which sounds awesome, but now after a day of wasting time I can't even find a great example... and I am not sure this will allow root anyway, maybe just another user.... is this the way to go? has someone had this type of problem before?


    HELP IS MUCH APPRECAITED
  2. #2
  3. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,296
    Rep Power
    9400
    Can you not run the script as some limited user that's part of (that one user group that allows network access) group?
  4. #3
  5. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,316
    Rep Power
    7171
    Presently, suEXEC does not allow root to execute CGI/SSI programs.
    In the past when I've needed to do something like this I generally write a wrapper program in C for my script and then use the SUID bit on the C program to make it run as root. You just need to know enough C to handle the input and output of the script.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2012
    Posts
    3
    Rep Power
    0
    Originally Posted by requinix
    Can you not run the script as some limited user that's part of (that one user group that allows network access) group?
    I have been trying that it does not seem to work, someone on the scapy mailer gave me some 'patch' that might a regular user to do the functions I want... I am cloning the virtual machine right now b/c i don't want to ruin my program and environment before I start editing every little file....
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2012
    Posts
    3
    Rep Power
    0
    Originally Posted by E-Oreo
    In the past when I've needed to do something like this I generally write a wrapper program in C for my script and then use the SUID bit on the C program to make it run as root. You just need to know enough C to handle the input and output of the script.
    do you have any good resources I can read up on the SUID bit? and maybe an example c program? this might be the way I have to go I am trying a scapy patch right now that might make it act more normal (and run w/o root)
  10. #6
  11. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,296
    Rep Power
    9400
    setuid is a permission bit on a file, like read, write, and execute. It isn't part of a program.
    http://www.bashguru.com/2010/03/unix...rmissions.html

    /bin/su is a program with that bit set.
    Code:
    $ ls -l /bin/su
    -rwsr-xr-x 1 root root (size) (date) /bin/su
    It will always run as the root user, regardless of who is actually running it.
  12. #7
  13. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,316
    Rep Power
    7171
    It will always run as the root user, regardless of who is actually running it.
    To clarify that, su always runs as the root user because the su binary is owned by the root user. The setuid bit causes the program to always run as the user who owns the binary; thus, if you want your program to run as root, root must be the owner of the binary.

    Code:
    int main(int argc, char* argv[])
    {
            char cmd[] = "/usr/bin/php /dir/phpfile.php";
            system(cmd);
            return 0;
    }
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around

IMN logo majestic logo threadwatch logo seochat tools logo