Re: [leaf-devel] Allowing Weblet to change a root file
Brad, Thank you so much for pointing me in the right direction. I have my shell script, toggle_udp, which checks to see if ip_masq_udp_dloose is set to 0, and if so, it sets it to 1 (and vice-versa). I also just found a little C code snippet on google that I think should do what I want. This is what I have: --- #include stdio.h #include stdlib.h #include unistd.h #include string.h void main(void) { int status; status = setuid(0); if(status == -1){ fprintf(stderr, Error setting uid to 0\n); exit(1); } system(/var/sh-www/cgi-bin/toggle_udp); exit(0); } --- Now my only problem is, how do I compile this to run on Leaf? Is there a compiler available and small enough to work on the system? Or would I have to compile it elsewhere, and then move it over to leaf? If this is the case, I only have access to machines running windows or solaris. Would anyone be willing to compile the small program above for me? -Kelly _ Internet access plans that fit your lifestyle -- join MSN. http://resourcecenter.msn.com/access/plans/default.asp --- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en ___ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Allowing Weblet to change a root file
On Wed, Oct 23, 2002 at 01:08:11PM +, Kelly Brown wrote: Now my only problem is, how do I compile this to run on Leaf? Is there a compiler available and small enough to work on the system? i Not that I know of. Or would I have to compile it elsewhere, and then move it over to leaf? If this is the case, I only have access to machines running windows or solaris. I don't know about either of those. I guess it *is* possible to compile it somehow, though *my* guess is that solaris would be the best bet... In any case you might want to have a look at: http://leaf.sourceforge.net/devel/jnilo/uml.html - though I have no idea whether it will work on solaris... Would anyone be willing to compile the small program above for me? Look in your inbox ;) It compiles fine in UML, and looks as if it works. At least in that once it's chown root:root wrapper and chmod a+s wrapper 'ered execution fails with: jon@a13-8:~/Projekt/blinder/C/src/KellyBrown ./wrapper sh: /var/sh-www/cgi-bin/toggle_udp: No such file or directory Let us know how it goes :) HTH Jon Clausen --- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en ___ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Allowing Weblet to change a root file
Kelly, On Wed, 23 Oct 2002 13:08:11 GMT Kelly Brown wrote: Brad, Thank you so much for pointing me in the right direction. Glad to help. I have my shell script, toggle_udp, which checks to see if ip_masq_udp_dloose is set to 0, and if so, it sets it to 1 (and vice-versa). I also just found a little C code snippet on google that I think should do what I want. This is what I have: [C code that looks like it will work snipped] Now my only problem is, how do I compile this to run on Leaf? Is there a compiler available and small enough to work on the system? Or would I have to compile it elsewhere, and then move it over to leaf? Stock Dachstein and Bering distributions both use glibc 2.0.7 . Often LEAF developers compile under Debian slink, sometimes running under UML[1] or VMWare. If this is the case, I only have access to machines running windows or solaris. Would anyone be willing to compile the small program above for me? That would make it tough. It's probably possible to cross-compile from one of those platforms for a x86 glibc 2.0.7 target system, but just thinking about setting up the development environment makes my head spin. ;) Sounds like Jon hooked you up with a compiled version, so hopefully you're set now. --Brad [1] http://leaf.sf.net/devel/jnilo/uml.html --- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en ___ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Allowing Weblet to change a root file
Less secure would be to do the same thing with a setuid shell script. It's my understanding that shell scripts will not work suid. (I did try that out before turning to C, it never worked, and I seem to remember seeing an explanation of why it doesn't work somewhere...) CCMIW For the record, linux will *NOT* honor the setuid bit on shell scripts...there's just no practical way to make them secure. Also on the security front, I would strongly suggest directly modifying the desired /proc flag with the C code, rather than calling any sort of shell script. There are too many ways to manipulate the shell if you're not careful, and while you probably don't have to worry about a lot of these problems on LEAF (which typically isn't setup with user accounts), I never like taking shortcuts with security...it's too easy to build bad habits and forget yourself when it really *DOES* matter. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en ___ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
[leaf-devel] Allowing Weblet to change a root file
Hi guys, I'll admit right up front that I'm not very knowledgeable in regards to Linux, so I hope I don't come off sounding TOO foolish. I do a lot of web development, so I do know my way around a unix/linux environment somewhat. I'm more used to working in a cgi environent with perl or php, so this stuff is a tiny bit different for me. Anyhow, what I want to do basically is use weblet to run the following line: echo 1 /proc/sys/net/ipv4/ip_masq_udp_dloose and alternately: echo 0 /proc/sys/net/ipv4/ip_masq_udp_dloose I essentially want to allow someone on the local network to be able to toggle loose UDP routing on and off at will through a web interface. I made a tiny little script to do this, but it doesn't work. It runs, but the ip_masq_udp_dloose file never changes and I'm GUESSING it's because weblet isn't allowed to touch it because it's owned by root. It works fine if I run the script through the command prompt (logged in as root), just not through the web interface. How could I get around this? I tried using both chmod and chown on ip_masq_udp_dloose to allow weblet access, but nothing happens. The commands act as if they worked, but the permissions don't change. It seems a bit odd to me. Any help would be really appreciated! -Kelly _ Surf the Web without missing calls! Get MSN Broadband. http://resourcecenter.msn.com/access/plans/freeactivation.asp --- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote ___ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Allowing Weblet to change a root file
Kelly, On Tue, 22 Oct 2002 14:58:30 GMT Kelly Brown wrote: Hi guys, I'll admit right up front that I'm not very knowledgeable in regards to Linux, so I hope I don't come off sounding TOO foolish. I do a lot of web development, so I do know my way around a unix/linux environment somewhat. I'm more used to working in a cgi environent with perl or php, so this stuff is a tiny bit different for me. None of this sounds foolish to me. It sounds like you are already on the right track and just need a bit of help to fix the root cause of the problem. Anyhow, what I want to do basically is use weblet to run the following line: echo 1 /proc/sys/net/ipv4/ip_masq_udp_dloose and alternately: echo 0 /proc/sys/net/ipv4/ip_masq_udp_dloose I essentially want to allow someone on the local network to be able to toggle loose UDP routing on and off at will through a web interface. ssh would be a more secure way to do this, and with a little work, could be made very easy for authorized users to use. (As simple as clicking on an icon that runs plink.exe and typing a password.) That said and my conscious clear :), you should be able to make weblet do this too. I made a tiny little script to do this, but it doesn't work. It runs, but the ip_masq_udp_dloose file never changes and I'm GUESSING it's because weblet isn't allowed to touch it because it's owned by root. It works fine if I run the script through the command prompt (logged in as root), just not through the web interface. Sounds like a very good guess to me. If you wanted to verify, you could do something like this: homefw: -root- # pwd /var/sh-www/cgi-bin homefw: -root- # cat set_loose_udp_routing.wrap #!/bin/sh sh -x set_loose_udp_routing $@ 2 /tmp/test.log where set_loose_udp_routing is the real script. I did some testing (using ip_nonlocal_bind since my test Bering box does not have ip_masq_udp_dloose) and this is what I found: homefw: -root- # tail -n 2 /tmp/test.log + echo 1 set_loose_udp_routing: cannot create /proc/sys/net/ipv4/ip_nonlocal_bind: permission denied homefw: -root- # ls -al /proc/sys/net/ipv4/ip_nonlocal_bind -rw-r--r-- 1 root wheel [..] /proc/sys/net/ipv4/ip_nonlocal_bind How could I get around this? I think the most secure solution would be to write a minimal C program that sets ip_nonlocal_bind and run it setuid root. There was some discussion of this awhile back on leaf-user or leaf-devel surrounding Jon Clausen's blinder project, IIRC. Less secure would be to do the same thing with a setuid shell script. Probably the least secure would be to run weblet as root rather than sh-httpd as described at http://www.mail-archive.com/leaf-user;lists.sourceforge.net/msg07465.html (That posting should get you close to the discussion of the setuid C program too.) I tried using both chmod and chown on ip_masq_udp_dloose to allow weblet access, but nothing happens. The commands act as if they worked, but the permissions don't change. It seems a bit odd to me. Not positive, but I think that's probably because it is part of the /proc pseudo filesystem. --Brad --- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote ___ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Allowing Weblet to change a root file
On Tue, Oct 22, 2002 at 09:40:26PM -0500, Brad Fritz wrote: How could I get around this? I think the most secure solution would be to write a minimal C program that sets ip_nonlocal_bind and run it setuid root. There was some discussion of this awhile back on leaf-user or leaf-devel surrounding Jon Clausen's blinder project, IIRC. YRC: My problem was a little different, but the same principles apply. In order to get cron to notice that a new crontab file was installed, I needed to get the timestamp of the directory /var/spool/cron/crontabs updated. The directory is owned by root, so I basically had two options: run sh-httpd as root (not a great ideda), or make an suid binary that does something in the directory. I went with option two, and got some help creating a tiny little C program that creates a file notify in that dir, and erases it again immediately. This operation had the desired effect, and all was good. The way it's done, is that the program has paths/filename hardcoded in it, and takes no arguments, so there is very little possibility of (direct) misuse. So anyone can execute it, and have cron update it's knowledge of crontabs on the system. Adapting that program to do what you need is probably not that difficult. I'd be happy to take a stab at it, but I'm not really a C programmer (yet anyway). Less secure would be to do the same thing with a setuid shell script. It's my understanding that shell scripts will not work suid. (I did try that out before turning to C, it never worked, and I seem to remember seeing an explanation of why it doesn't work somewhere...) CCMIW Probably the least secure would be to run weblet as root rather -and since your host *is* a firewall (which my Blinder system is *not*), I'd advice against that. I tried using both chmod and chown on ip_masq_udp_dloose to allow weblet access, but nothing happens. The commands act as if they worked, but the permissions don't change. It seems a bit odd to me. Not positive, but I think that's probably because it is part of the /proc pseudo filesystem. Sounds reasonable... (?) HTH Jon Clausen --- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en ___ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
Re: [leaf-devel] Allowing Weblet to change a root file
Minor typo correction below... On Tue, 22 Oct 2002 21:40:26 EST I wrote: [snip] I made a tiny little script to do this, but it doesn't work. It runs, but the ip_masq_udp_dloose file never changes [snip] I think the most secure solution would be to write a minimal C program that sets ip_nonlocal_bind and run it setuid root. ip_nonlocal_bind should be ip_masq_udp_dloose. Sorry about that. --Brad --- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en ___ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel