er... SUID?

[plasmatwin]

ok, I am doing a web based admin system for a little project I am working on. To see what I could do as a start I decided to start on reading the iptables rules and formatting them nicely on the page - just to start. I hit a rather large road block though, I need root permissions. I am using the Apache webserver to execute my CGI and I can find next to no documentation on how to SUID. So, here is my simple script that for a start will just read in the currently active firewall configuration and print it.

#!/usr/bin/perl -w

print "Content-type: text/plain\n\n";
if(!open(FIREWALL, `iptables-save`)) { print "ARG!!"; die "Can\'t open Iptables save file"; } 
my @firewall = <FIREWALL>;
close(FIREWALL);
foreach(@firewall)
{
	print "$_";
}

Ofcourse the script fails because I don't have root privilages, help?

 

[TrojanWarBlade]

You really want to give the world "root" access to your machine?
This sounds really really dangerous to me. CGI is run as a very unpriveliged user for a very good reason.
Maybe you need to look at the problem from another point of view.
For example, you could have a separate root process that watches files appearing in a directory and acts on them when they do. The first thing it should do is VALIDATE THEM!
First check would be size to make sure you don't suffer buffer overloads with them.
Next you should check EVERY LINE to ensure it conforms to what you need.
Finally you could process it as you see fit.



Trojan.

 

[plasmatwin]

so how does webmin do it? I don't want to use the actual webmin package but I am designing something along the same lines for a little project. Webmin has a log on system, so will this soon. I was going to get to that later, this is me just playing around at the moment. If you can tell me how to get root access (which webmin effectively gives to anyone who gets the login correct) then I can do this, if you can tell me an alternative solution to this then I will be glad to here it. Don't assume I was going to give the world root access to my machine ;-)

 

[TrojanWarBlade]

I really don't understand where you are coming from here.
You say:

tell me how to get root access (which webmin effectively gives to anyone who gets the login correct)

and follow it up by saying

Don't assume I was going to give the world root access to my machine

I think you need to consider very carefully what you actually want to do here. Root access is a very bad idea. Having a process do something that normally requires root priviledges is not the same thing at all and generally much safer.
I don't know anything about webmin and what it does. I assume that it's some form of web based sysadmin tool. Personally, I think the whole principle is unwise but that's just my opinion.
I guess you could make it safer if you ran a second copy of Apache on a very unusual port as root and limited access to that port to very specific IP addresses or ranges with IPTABLES.

Hope that helps.



Trojan.

 

[plasmatwin]

yes, the WORLD, as in I will be the only one who can actually gain access to it. Go figure...
The idea is fine, I can do the parts of passing the input, all I want to be told is how to get the root access! That's the problem with the docs I find on the internet, they are all to ready to tell me that it is unsafe and I should take caution when doing it but none of them are prepared to tell me how to do it... just tell me how to do it, the webadmin interface will only be accessable from my LAN anyway, and at the moment the machine in question has no possibility to be accessed from the outside. Now back to the question, how do I do it?

 

[TrojanWarBlade]

Easy tiger!
No need to get stroppy, that's not a good way to get help.
We have to be careful here since we never know who we are talking to and we don't want to invite people to open their machines to the world to be destroyed.
You should be pleased that we care!

Anyway, so long as you're sure you are safe, I think you'll find in the Apache httpd.conf file there is an entry that controls which user the Apache process runs as. By default it is user "apache" to give minumum access.

User apache
Group apache

I would guess that you could change these to be root and root and restart the server and hey presto!

Let us know how you get on (unless you're gonna bite my head off again!!)



Trojan.

 

[plasmatwin]

Sorry about that, angry at my family and I guess I took it out on you. I appreciate the help though

I don't want to change what the actual Apache process is run by, but I would like to just do it internally during the script. Would executing sudo work? I could create a cgi script that can be called with sudo with a set of arguments to execute things... I'd have to scan (and probably log) the user input for security's sake, but does anyone know if this is a good way of going about things? I will be protecting the whole area of the website with Apache's login system thing...

Any thoughts/suggestions on this plan?

 

[TrojanWarBlade]

Sudo would have been my next thought.
You could set a script with the setuid bit but in my experience that is less than reliable. I don't know why.
You could try it though.
I've never used Sudo before but I love the concept. The only reason I don't use it is simply because there are very few users on my machines and they never need root access. In a different situation it would be top of the list for me.
I don't think that the CGI will be callable directly with Sudo, I think you'll have to create a child process (script) that your CGI calls so that Sudo has a process name and userid (apache) to latch on to.


Trojan.

 

[plasmatwin]

It can be called directly from sudo if I REALLY REALLY try, I just have to make sudo run "/usr/bin/perl -e 'my script here'" but I think the idea of spawning a seperate child process to do the root part is better... I'll have to see where things go... Thanks for your help on this