Re: [e-smith-devinfo] PHP and Events
On Fri, Feb 15, 2002 at 08:57:07AM -0500, Noah Berlove <[EMAIL PROTECTED]> wrote: > Charlie, > > Maybe I'm not reading the question correctly, but how is PHP different in > this case to Perl? PHP is also installed as a binary on the server > (/usr/bin/php), so you should be able to write PHP scripts that have > whatever rights and permissions you want. One doesn't follow from the other. Setuid Perl programs work because Perl ships with a wrapper that magically handles setuidness even though the Linux kernel explicitly ignores the setuid bit on scripts; there's no equivalent with PHP. (Even then, the discussion was really about mod_php, where the PHP code essentially becomes part of the running webserver; mod_perl works the same way.) > As long as the script can be run by the web server, it should work. No, it will be run with the webserver user's privileges. -Rich -- -- Rich Lafferty --- Technical Support Engineer, Network Server Solutions Group Mitel Networks, Ottawa, ON(613) 751-4404 [EMAIL PROTECTED] -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] PHP and Events
Charlie, Maybe I'm not reading the question correctly, but how is PHP different in this case to Perl? PHP is also installed as a binary on the server (/usr/bin/php), so you should be able to write PHP scripts that have whatever rights and permissions you want. As long as the script can be run by the web server, it should work. Noah At 14/02/2002 11:21 PM, Charlie Brady wrote: >On Fri, 15 Feb 2002, Darrell May wrote: > > > Charlie Brady <[EMAIL PROTECTED]> said: > > > > > That won't work for all events and actions. From PHP scripts, > > > "signal-event" will be run as user "admin", belonging to various groups, > > > > > including "root". There's plenty of things that "admin" doesn't have > > > permission to do. > > > > Permit me to rephrase... capable of launching any event/action that admin > > has rights to launch ;-> > >Being able to launch the events and actions is not sufficient. They have >to actually work, which generally requires "root" privilege. > >-- >Charlie Brady [EMAIL PROTECTED] >Lead Product Developer >Network Server Solutions Grouphttp://www.e-smith.com/ >Mitel Networks Corporationhttp://www.mitel.com/ >Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 > > > >-- >Please report bugs to [EMAIL PROTECTED] >Please mail [EMAIL PROTECTED] (only) to discuss security issues >Support for registered customers and partners to [EMAIL PROTECTED] >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
RE: [e-smith-devinfo] PHP and Events
On Thu, 14 Feb 2002, Trevor Ouellette wrote: > In otherwords, if I created an event/action and gave it admin rights, I > could control the system (reboots, shutdowns, update files, etc.) through > that event. No. -- Charlie Brady [EMAIL PROTECTED] Lead Product Developer Network Server Solutions Grouphttp://www.e-smith.com/ Mitel Networks Corporationhttp://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] PHP and Events
On Fri, 15 Feb 2002, Darrell May wrote: > Charlie Brady <[EMAIL PROTECTED]> said: > > > That won't work for all events and actions. From PHP scripts, > > "signal-event" will be run as user "admin", belonging to various groups, > > > including "root". There's plenty of things that "admin" doesn't have > > permission to do. > > Permit me to rephrase... capable of launching any event/action that admin > has rights to launch ;-> Being able to launch the events and actions is not sufficient. They have to actually work, which generally requires "root" privilege. -- Charlie Brady [EMAIL PROTECTED] Lead Product Developer Network Server Solutions Grouphttp://www.e-smith.com/ Mitel Networks Corporationhttp://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
RE: [e-smith-devinfo] PHP and Events
In otherwords, if I created an event/action and gave it admin rights, I could control the system (reboots, shutdowns, update files, etc.) through that event. Trev. > -Original Message- > From: Darrell May [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 14, 2002 6:46 PM > To: [EMAIL PROTECTED] > Subject: Re: [e-smith-devinfo] PHP and Events > > > > Charlie Brady <[EMAIL PROTECTED]> said: > > > That won't work for all events and actions. From PHP scripts, > > "signal-event" will be run as user "admin", belonging to various groups, > > > including "root". There's plenty of things that "admin" doesn't have > > permission to do. > > Permit me to rephrase... capable of launching any event/action that admin > has rights to launch ;-> > > Regards, > > -- > Darrell May > DMC Netsourced.com > http://netsourced.com > http://myEZserver.com > > > -- > Please report bugs to [EMAIL PROTECTED] > Please mail [EMAIL PROTECTED] (only) to discuss security issues > Support for registered customers and partners to [EMAIL PROTECTED] > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > Archives by mail and > http://www.mail-archive.com/devinfo%40lists.e-smith.org > > -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] PHP and Events
Charlie Brady <[EMAIL PROTECTED]> said: > That won't work for all events and actions. From PHP scripts, > "signal-event" will be run as user "admin", belonging to various groups, > including "root". There's plenty of things that "admin" doesn't have > permission to do. Permit me to rephrase... capable of launching any event/action that admin has rights to launch ;-> Regards, -- Darrell May DMC Netsourced.com http://netsourced.com http://myEZserver.com -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] PHP and Events
On Fri, 15 Feb 2002, Darrell May wrote: > > Charlie Brady <[EMAIL PROTECTED]> said: > > > There was some discussion about running PHP in the admin web server a few > > > weeks ago where I discussed some of the security implications. > > Yes, and for those that understand the security implications and still need > to run a PHP app inside the server-manager as 'admin', capable of launching > any event/action, you may simply implement my provided solution: > > http://myezserver.com/downloads/mitel/contrib/addPHP2admin-0.0.1 That won't work for all events and actions. From PHP scripts, "signal-event" will be run as user "admin", belonging to various groups, including "root". There's plenty of things that "admin" doesn't have permission to do. -- Charlie Brady [EMAIL PROTECTED] Lead Product Developer Network Server Solutions Grouphttp://www.e-smith.com/ Mitel Networks Corporationhttp://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] PHP and Events
Charlie Brady <[EMAIL PROTECTED]> said: > There was some discussion about running PHP in the admin web server a few > weeks ago where I discussed some of the security implications. Yes, and for those that understand the security implications and still need to run a PHP app inside the server-manager as 'admin', capable of launching any event/action, you may simply implement my provided solution: http://myezserver.com/downloads/mitel/contrib/addPHP2admin-0.0.1 Regards, -- Darrell May DMC Netsourced.com http://netsourced.com http://myEZserver.com -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
RE: [e-smith-devinfo] PHP and Events
I recall that discussion now that you mentioned it. Thanks for the info. Trev. > -Original Message- > From: Charlie Brady [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 14, 2002 4:40 PM > To: Trevor Ouellette > Cc: [EMAIL PROTECTED] > Subject: Re: [e-smith-devinfo] PHP and Events > The short answer is no. PHP scripts are interpreted inside the > web server, > so run with the user and group id of the web-server, i.e. www. And 'www' > doesn't have permission to do anything privileged. The manager > scripts can > do privileged things because they are setuid scripts, and run as 'root'. > > There was some discussion about running PHP in the admin web server a few > weeks ago where I discussed some of the security implications. -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Re: [e-smith-devinfo] PHP and Events
On Thu, 14 Feb 2002, Trevor Ouellette wrote: > I've got an interesting question. > > Is it possible to have a PHP panel that can trigger an event or action? > > What kind of security is involved here? > > So, if the event/actions are built, the templates are in place, and the > configuration have their respective variables set up... can PHP trigger the > event and put the whole system in motion? The short answer is no. PHP scripts are interpreted inside the web server, so run with the user and group id of the web-server, i.e. www. And 'www' doesn't have permission to do anything privileged. The manager scripts can do privileged things because they are setuid scripts, and run as 'root'. There was some discussion about running PHP in the admin web server a few weeks ago where I discussed some of the security implications. -- Charlie Brady [EMAIL PROTECTED] Lead Product Developer Network Server Solutions Grouphttp://www.e-smith.com/ Mitel Networks Corporationhttp://www.mitel.com/ Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739 -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
[e-smith-devinfo] PHP and Events
I've got an interesting question. Is it possible to have a PHP panel that can trigger an event or action? What kind of security is involved here? So, if the event/actions are built, the templates are in place, and the configuration have their respective variables set up... can PHP trigger the event and put the whole system in motion? If anybody has an opinion, I would like to hear it. Trev. -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
