Re: [Hampshire] Running a script that needs to do a rooty thing
On 29 November 2010 04:59, Stephen Nelson-Smith wrote: > On Fri, Nov 26, 2010 at 6:15 PM, Victor Churchill > wrote: > > Hi > > > > I have been asked to make a Perl script that does some stuff with > Apache's > > config (adds a virtual host) and then does an apache2ctl graceful to tell > > Apache to re-read its config files. > > Sounds like the sort of thing that would be well handled with Puppet / > Chef / CFengine. Appreciate that may be over kill, but it's something > to consider. Doing this with a Perl script is a bit of a smell to me. > > But you an do anything in Perl ;-) It is interesting that this comment has come up a couple of times. The boss has this idea in mind that he intends to provide this capability to the end user/customer so that they can do some of their own admin; so the requirement came down de facto 'we need a perl script to do this'. I had not really thought of it as a CMS related kind of task, but am not at all familiar with cfengine et al so should probably take a look. I don't think much more is envisaged but these things often come back and bite you. By the way, the sudoers approach did work. I got some misleading errors complaining about >>> /etc/sudoers: syntax error near line 28 <<< which eventually I saw were due to a missing newline at the end of the file ;.-) S. > -- > Stephen Nelson-Smith > Technical Director > Atalanta Systems Ltd > www.atalanta-systems.com > > -- > Please post to: Hampshire@mailman.lug.org.uk > Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire > LUG URL: http://www.hantslug.org.uk > -- > -- best regards, Victor Churchill, Bournemouth -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Running a script that needs to do a rooty thing
On Fri, Nov 26, 2010 at 6:15 PM, Victor Churchill wrote: > Hi > > I have been asked to make a Perl script that does some stuff with Apache's > config (adds a virtual host) and then does an apache2ctl graceful to tell > Apache to re-read its config files. Sounds like the sort of thing that would be well handled with Puppet / Chef / CFengine. Appreciate that may be over kill, but it's something to consider. Doing this with a Perl script is a bit of a smell to me. S. -- Stephen Nelson-Smith Technical Director Atalanta Systems Ltd www.atalanta-systems.com -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Running a script that needs to do a rooty thing
On 26 November 2010 21:43, Dominic Cleal wrote: > On 26/11/10 21:04, Vic wrote: > > I'd strongly recommend using sudo, it isn't daft. It's really easy to > configure, it gives you auditing via syslog and should run the command > in a secure environment out of the box. > > Add a line to the bottom of /etc/sudoers similar to: > > www-data ALL = (root) NOPASSWD: /usr/sbin/apachectl graceful > > The www-data user will be able to only run the single command with the > exact set of arguments given. Then just run "sudo apachectl graceful" > from your script. > I would use this option also. It is what sudoers was designed for. sudo has the setuid bit set, so that it can do its job. The advantage of using sudo is that it has been around for a long time, so vulnerabilities in it have mostly been already dealt with. But there should be a way to do this without having to be root. All you have to do is send the apache process the SIGUSR1, and that should not need root access. kill -SIGUSR1 3443 (where 3443 is the PID of the Apache process) So long as the user running the kill command is the same as the apache process itself. Just look in the apachectl scripts to find out where it gets the PID form. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Running a script that needs to do a rooty thing
Hi Victor, On Fri, Nov 26, 2010 at 06:15:22PM +, Victor Churchill wrote: > I have been asked to make a Perl script that does some stuff with Apache's > config (adds a virtual host) and then does an apache2ctl graceful to tell > Apache to re-read its config files. I concur with Dominic's response. Just as an aside, and I realise you may have thought of this already.. I would recommend doing "apache2ctl configtest" after you've done your script has done its editing so you can tell that the config you've written does parse. If it doesn't then you could have your script back out its changes. Also what you're doing is configuration management so it might be worth looking at bcfg2, cfengine, puppet or similar to check you're not reinventing any wheels. Cheers, Andy -- >> I have just recently purchased a Feathercraft Big Kahuna kayak > does it have a heater? Of course not. Everyone knows you can't have your kayak and heat it. -- James Fidell signature.asc Description: Digital signature -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Running a script that needs to do a rooty thing
Thanks to all. Looks like a restricted sudo will be the way to go. I will give that a try, I'm pretty confident it should do what's required. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Running a script that needs to do a rooty thing
On 26/11/10 21:43, Dominic Cleal wrote: > It'd be difficult to write a setuid script securely as environment > variables (e.g. PATH, LD_LIBRARY_PATH) could be used to make the script > run all sorts of things the author didn't intend. Small correction: apparently LD_* type variables are ignored on setuid binaries anyway, or you'd have the same issues... dangerous stuff anyway :-) -- Dominic Cleal domi...@computerkb.co.uk -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Running a script that needs to do a rooty thing
On 26/11/10 21:04, Vic wrote: >> It would be daft to make www-data a sudoer and I'm not sure how I would do >> that anyway. Any ideas on how to achieve this, or alternatives? > > Factor out the couple of bits that need root privilege, and put them in > their own scripts. Make those scripts executable only by the www-data > user, and then make them setuid. > > Your main script can then run with reduced privilege, and call the setuid > ones as necessary. You probably won't be able to do this, setuid scripts are usually blocked by the OS. It'd be difficult to write a setuid script securely as environment variables (e.g. PATH, LD_LIBRARY_PATH) could be used to make the script run all sorts of things the author didn't intend. apachectl itself is also a script, so might also be susceptible to attack. On 26/11/10 18:15, Victor Churchill wrote: > It would be daft to make www-data a sudoer and I'm not sure how I > would do that anyway. Any ideas on how to achieve this, or > alternatives? I'd strongly recommend using sudo, it isn't daft. It's really easy to configure, it gives you auditing via syslog and should run the command in a secure environment out of the box. Add a line to the bottom of /etc/sudoers similar to: www-data ALL = (root) NOPASSWD: /usr/sbin/apachectl graceful The www-data user will be able to only run the single command with the exact set of arguments given. Then just run "sudo apachectl graceful" from your script. Cheers, -- Dominic Cleal domi...@computerkb.co.uk -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Running a script that needs to do a rooty thing
> It would be daft to make www-data a sudoer and I'm not sure how I would do > that anyway. Any ideas on how to achieve this, or alternatives? Factor out the couple of bits that need root privilege, and put them in their own scripts. Make those scripts executable only by the www-data user, and then make them setuid. Your main script can then run with reduced privilege, and call the setuid ones as necessary. Vic. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Running a script that needs to do a rooty thing
On Friday 26 November 2010 18:15:22 Victor Churchill wrote: > Hi > > I have been asked to make a Perl script that does some stuff with Apache's > config (adds a virtual host) and then does an apache2ctl graceful to tell > Apache to re-read its config files. > This is Ubuntu 10.04, Apache 2.2. The script does its thing with the files > (it runs as the www-data userID, and the files belong to www-data, so > that's OK). But it can't do the apache2ctl command. Although the running > apache processes are owned by www-data, the startup of apache is done as > root to bind a socket to address :80 AIUI. > > It would be daft to make www-data a sudoer and I'm not sure how I would do > that anyway. Any ideas on how to achieve this, or alternatives? > > thanks Can you ask for a password then su to root? Or perhaps store a password hash? Tim B. -- OpenPilot - Open-source Marine Chart Plotter Lead Developer http://openpilot.sourceforge.net -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --