PHP exec() on Apache

Calltor · 06-08-2006, 01:23 AM

Hi all,

I'm running Apache server on my machine, and I am unable to execute command that need root privileges, in this case running a program that writes to the parallel port. The program runs fine from the terminal with sudo or when logged in as root.

When I run on the server echo exec('whoami'), I get "nobody". The server was started as root.

Is there any way I can solve this problem using sudo? I need to pass the password for sudo within the exec() command, inside a PHP page.

Thanks

unSpawn · 06-08-2006, 05:08 AM

I need to pass the password for sudo within the exec() command, inside a PHP page
AFAIK not unless you set up a proper Sudo Cmnd_Alias (make sure you scrub everything for parameter abuse) and give it to the user as a NOPASSWD entry.

nx5000 · 06-08-2006, 05:20 AM

There is this:
http://www.suphp.org/Home.html
I haven't tried it but it seems stable as others are using it.

penguintutor · 06-08-2006, 06:18 AM

A possible solution, depending upon your system would be to give the required privileges to the nobody user.

E.g. adding the user "nobody" to the "lp" group, which will normally have write permission to the parallel port.

e.g.
First check if there are any other groups that nobody is currently part of using the groups command. If there are then add these to a comma separated list as well as the lp group (although no need to include the group nobody which should be the users default group).
usermod -G lp nobody

Depending upon what your program is doing it may not be that simple, but can work for some purposes.

A similar technique is used to give normal users access to the floppy drive, which is normally handled by default by most distros.

If it works this is more secure than allowing a webserver to run commands as root.

unSpawn · 06-08-2006, 06:53 AM

OK. Can someone please do me a favour and explain the pro's and cons of these three options?

Calltor · 06-08-2006, 07:15 AM

and btw, I don't care about security this time... all this machine has to do is to control the parallel port

it's a 400Mhz Celeron...

nx5000 · 06-08-2006, 07:32 AM

Different solutions, pros/cons:
-> basic sudo
pros:fine grain on which user is able to execute which executable
cons: possbility to use this feature out of apache. Not really a cons as far as I can see, depends on how everything is done.

->suphp
From what I read on their website, you configure suphp to run one php script with the privilege of a choosen user.
pros:can do a chroot, has extensive checks.
cons:you bring the suphp suid binary (not your php script) on your machine. you can couple it with sudo for a certain user if you don't like having suid on your machine runnable by everyone. Also you have to audit the complete suphp mechanism compared to sudo which is very small/tested.

->nobody is put in lp group
pros:very easy to implement
cons:every process that you can control execution (by means of a vuln or a self-made binary sent to the server) running in user nobody will be able to print hundred of pages with "fuc* off" on your printer (nice idea)

->run apache as root
pros: "no security for now", very quick

cons: your machine will be severly compromised in case of a vulnerability.

That's a very quick answer. Discussion is opened..
Cheers

ps: I prefer the method of sudo from unspawn I think , with a chrooted apache

unSpawn · 06-08-2006, 11:13 AM

@Calltor: I don't care about security
...so it apparently makes sense we all do, and so should you. Coding something w/o regard for security is a recipe for disaster, security ain't no "add-on", besides with anyone using PHP I'm twice as suspicious.

@NX5000: good comparison, WD. I agree introducing "extra" setuid binaries ain't a good start if you can avoid it, and you make a good point about chrooting. I fear the real problem starts with interaction between parts: scrubbing user input (which should never be trusted) and restrict supplying parameters. Sudo can restrict which arguments are allowed, but the "app" in front should do all the work essentially.

Somehow I get the idea we're stuck with another hit 'n run who will never read this...

Calltor · 06-09-2006, 06:29 AM

I've said "I don't care about security this time", and not " I don't care about security at all", and this is because the server is accessiable only in my LAN, and all it has to do is to control some parallel port device I made. I do care about security when there is some reason to

Wim Sturkenboom · 06-09-2006, 06:40 AM

A different approach that might work: make use of setuid in your program. This however can only be done if you can modify the source of the program.

probably the best example of a program that uses setuid is probably ping, which needs root privileges but can be run by any ordinary user.

Calltor · 06-09-2006, 06:42 AM

Of course, I wrote the program. Can you plz tell me how to use setuid?

Calltor · 06-09-2006, 06:56 AM

This is my script now, but again, I can only run it as root...

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <asm/io.h>

#define port 0x378

main(int argc, char **argv){
int value;

setuid(0);

if(argc != 2)
fprintf(stderr, "Error: Wrong number of arguments\n"), exit(1);
if(sscanf(argv[1], "%i", &value) != 1)
fprintf(stderr, "Error: Parameter is not a number\n"), exit(1);
if(value < 0 || value > 255)
fprintf(stderr, "Error: Invalid numeric value\n"), exit(1);
if(ioperm(port, 1, 1))
fprintf(stderr, "Error accessing port\n"), exit(1);
outb((unsigned char) value, port);
fprintf(stdout, "Data sent to port\n");
}

Wim Sturkenboom · 06-09-2006, 08:40 AM

Code:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

static uid_t euid, ruid;

/* Restore the effective UID to its original value. */
void do_setuid (void)
{
int status;

#ifdef _POSIX_SAVED_IDS
    status = seteuid (euid);
#else
    status = setreuid (ruid, euid);
#endif
    if (status < 0)
    {
        fprintf (stderr, "Couldn't set uid.\n");
        exit(status);
    }
}

/* Set the effective UID to the real UID. */
void undo_setuid (void)
{
int status;

#ifdef _POSIX_SAVED_IDS
    status = seteuid (ruid);
#else
    status = setreuid (euid, ruid);
#endif
    if (status < 0)
    {
        fprintf (stderr, "Couldn't set uid.\n");
        exit (status);
    }
}

int main()
{
FILE *fp;

    ruid = getuid ();
    euid = geteuid ();

    undo_setuid ();
    printf("uid=%d\n",getuid());
    printf("euid=%d\n",geteuid());

    fp=fopen("/var/log/debug","r");
    if(fp==NULL)
    {
        printf("Could not open file\n");
    }
    else
    {
        printf("File opened\n");
        fclose(fp);
    }

    do_setuid ();
    printf("uid=%d\n",getuid());
    printf("euid=%d\n",geteuid());

    fp=fopen("/var/log/debug","r");
    if(fp==NULL)
    {
        printf("Could not open file\n");
    }
    else
    {
        printf("File opened\n");
        fclose(fp);
    }

    return 0;

}

Compile the file, make root the owner (chown) and change the permissions

Code:

root@btd-techweb01:/home/wim/progs/lq452660# ls -l
total 20
-rwxr-xr-x  1 wim develop 12361 2006-06-09 15:33 lq452660
-rw-r--r--  1 wim develop  1381 2006-06-09 15:28 lq452660.c
root@btd-techweb01:/home/wim/progs/lq452660# chown root lq452660
root@btd-techweb01:/home/wim/progs/lq452660# chmod 4755 lq452660
root@btd-techweb01:/home/wim/progs/lq452660# ls -l
total 20
-rwsr-xr-x  1 root develop 12361 2006-06-09 15:33 lq452660
-rw-r--r--  1 wim  develop  1381 2006-06-09 15:28 lq452660.c

Run the program as normal user. It attempts to open /var/log/debug which is something that a normal user normally can't do. The first attempt will fail because we canceled 'our' special permission.
Next we re-assign it and the result will be ok.

Code:

wim@btd-techweb01:~/progs/lq452660$ ./lq452660
uid=1000
euid=1000
Could not open file
uid=1000
euid=0
File opened

The two functions at the top are taken from http://www.gnu.org/software/libc/man...m-Example.html

Please note:
Never keep the special permissions in your program longer than required. So assign just before you do something and immediately revoke again. That's also why it was initially revoked (in the beginning of the program).

Calltor · 06-09-2006, 09:04 AM

thank u very very much!