Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
> Hi,
>
> I have an web form.
>
> I need send of webform to script bash
>
> webform.html --> PHP proces --> create.sh
>
> create.sh
> #!/bin/ksh
> # Create user
>
> echo "hi!! your pass $1"
> crypted="$(echo -n "$1" | smtpctl encrypt )"
> maildir="$3/$2/"
> echo -e "$2@$3" >> recipients
> echo -e "$2@$3\t$crypted" >> credentials
> echo "ejabberdctl register $2 $3 $1"
> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
>
> example php
> function antiyec($data) {
> $data = trim($data);
> $data = stripslashes($data);
> $data = htmlspecialchars($data);
> return $data;
> }
> $user = antiyec($_POST['user']);
> $frase1 = antiyec($_POST['pass']);
> $domain = antiyec($_POST['dom']);
>
> $out = shell_exec('ksh create.sh $frase1 $user $domain');
> echo "$out";
> ?>
If you have MySQL as backend for your email accounts, you can just do
the same with ejabberd. And after that, there is no reason why you can't
do the whole thing on PHP alone.
But as everyone pointed out, you need to do some serious reading and/or
get someone who knows how to set this up properly.
> On 06/01/15 08:50, Gareth Nelson wrote:
> > Everyone is missing the bigger picture here:
> >
> > Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
> > and things should be redesigned so that it's not needed.
> >
> > ---
> > “Lanie, I’m going to print more printers. Lots more printers. One for
> > everyone. That’s worth going to jail for. That’s worth anything.� -
> > Printcrime by Cory Doctrow
> >
> > Please avoid sending me Word or PowerPoint attachments.
> > See http://www.gnu.org/philosophy/no-word-attachments.html
> >
> > On Mon, Jun 1, 2015 at 1:47 PM, dan mclaughlin
> > wrote:
> >
> >> On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse
> >> wrote:
> >>> On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote:
> On Sun, 31 May 2015 22:20:17 -0500 Okupandolared
> >> wrote:
> > does not exist,
> >
> > so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami?
> >
> > that try "ls" and "/bin/ls" and "/var/www/bin/ls"
> >
> > and it does not work,
> > "/bin/ls" exist
> > "/var/www/bin/ls" exist
> >
> > thanks
> >
> > On 05/31/15 19:43, Zi Loff wrote:
> >> On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:
> >>> -BEGIN PGP SIGNED MESSAGE-
> >>> Hash: SHA256
> >>>
> >>> I like received variables POST and send to KSH script.
> >>>
> >>> But it seems that in OpenBSD 5.6 and php-fpm.
> >>>
> >>> exec() and exec_shell() not working.
> >>>
> >>> Could anyone help me?
> >>>
> >>> This link explain in detail what I've tried.
> >>>
> >>>
> >>
> > http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shel
> > l-exec
> >>>
> >>> thanks
> >>
> >> If the server is chrooted at "/var/www" then "/usr/bin/whoami"
> >> (from the
> >> server's point of view) actually means "/var/www/usr/bin/whoami"
> >> (from
> >> your point of view). Does that file exist?
> >
>
> have you tried to copy /bin/sh to /var/www/bin/sh?
> >>>
> >>> Also, in a chrooted filesystem, every dynamically linked executable
> >> needs access
> >>> to ld.so and its shared libraries. Which means /var/www/usr/lib and
> >>> /var/www/usr/libexec will need files populated -- every binary file
> >> should be
> >>> checked wiht ldd(1) to ensure required libraries are made available.
> >>> shared libraries. Each program should
> >>
> >> that reminds me, i did a write up on chrooting programs here:
> >> https://marc.info/?l=openbsd-misc&m=142676615612510&w=2
> >>
> >> although it got into more, the basics of setting up a chroot jail are
> >> there.
> >>
> >> i also have a script that adds a binary and its dependencies automatically.
> >> i'll have to post it later, since i've actually been meaning to recently.
> >> just have to make a few adjustments for portability.
>
--
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
If you made these mistakes you'll have made others - get guidance from
someone who knows what they're doing and have them audit your whole system.
---
âLanie, Iâm going to print more printers. Lots more printers. One for
everyone. Thatâs worth going to jail for. Thatâs worth anything.â -
Printcrime by Cory Doctrow
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
On Mon, Jun 1, 2015 at 6:31 PM, Okupandolared wrote:
> thank you all for the support,
>
> I think in another way, as well sanitize my form.
>
> maybe python goes outside the chroot.
>
> Thanks again
>
> On 06/01/15 10:21, Sebastien Marie wrote:
> > Hi,
> >
> > Just to report how it is a bad idea... at least two sql injection and
> > one shell injection in your files.
> >
> > On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
> >> Hi,
> >>
> >> I have an web form.
> >>
> >> I need send of webform to script bash
> >>
> >> webform.html --> PHP proces --> create.sh
> >>
> >> create.sh
> >> #!/bin/ksh
> >> # Create user
> >>
> >> echo "hi!! your pass $1"
> >> crypted="$(echo -n "$1" | smtpctl encrypt )"
> >> maildir="$3/$2/"
> >> echo -e "$2@$3" >> recipients
> >> echo -e "$2@$3\t$crypted" >> credentials
> >> echo "ejabberdctl register $2 $3 $1"
> >> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> >> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
> >
> > sql injection on $2 and $3 as "'" isn't escaped by antiyec function
> >
> >> example php
> >> >> function antiyec($data) {
> >> $data = trim($data);
> >> $data = stripslashes($data);
> >> $data = htmlspecialchars($data);
> >> return $data;
> >> }
> >> $user = antiyec($_POST['user']);
> >> $frase1 = antiyec($_POST['pass']);
> >> $domain = antiyec($_POST['dom']);
> >>
> >> $out = shell_exec('ksh create.sh $frase1 $user $domain');
> >
> > shell injection on user, pass and dom variables, as ";" isn't escaped by
> > antiyec function
> >
> >> echo "$out";
> >> ?>
> >>
> >>
> >> On 06/01/15 08:50, Gareth Nelson wrote:
> >>> Everyone is missing the bigger picture here:
> >>>
> >>> Why is a PHP script calling the shell? 9 times out of 10, that's a bad
> idea
> >>> and things should be redesigned so that it's not needed.
> >>>
> >
> > yes it is a bad idea.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
thank you all for the support,
I think in another way, as well sanitize my form.
maybe python goes outside the chroot.
Thanks again
On 06/01/15 10:21, Sebastien Marie wrote:
> Hi,
>
> Just to report how it is a bad idea... at least two sql injection and
> one shell injection in your files.
>
> On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
>> Hi,
>>
>> I have an web form.
>>
>> I need send of webform to script bash
>>
>> webform.html --> PHP proces --> create.sh
>>
>> create.sh
>> #!/bin/ksh
>> # Create user
>>
>> echo "hi!! your pass $1"
>> crypted="$(echo -n "$1" | smtpctl encrypt )"
>> maildir="$3/$2/"
>> echo -e "$2@$3" >> recipients
>> echo -e "$2@$3\t$crypted" >> credentials
>> echo "ejabberdctl register $2 $3 $1"
>> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
>> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
>
> sql injection on $2 and $3 as "'" isn't escaped by antiyec function
>
>> example php
>> > function antiyec($data) {
>> $data = trim($data);
>> $data = stripslashes($data);
>> $data = htmlspecialchars($data);
>> return $data;
>> }
>> $user = antiyec($_POST['user']);
>> $frase1 = antiyec($_POST['pass']);
>> $domain = antiyec($_POST['dom']);
>>
>> $out = shell_exec('ksh create.sh $frase1 $user $domain');
>
> shell injection on user, pass and dom variables, as ";" isn't escaped by
> antiyec function
>
>> echo "$out";
>> ?>
>>
>>
>> On 06/01/15 08:50, Gareth Nelson wrote:
>>> Everyone is missing the bigger picture here:
>>>
>>> Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
>>> and things should be redesigned so that it's not needed.
>>>
>
> yes it is a bad idea.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
Hi,
Just to report how it is a bad idea... at least two sql injection and
one shell injection in your files.
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
> Hi,
>
> I have an web form.
>
> I need send of webform to script bash
>
> webform.html --> PHP proces --> create.sh
>
> create.sh
> #!/bin/ksh
> # Create user
>
> echo "hi!! your pass $1"
> crypted="$(echo -n "$1" | smtpctl encrypt )"
> maildir="$3/$2/"
> echo -e "$2@$3" >> recipients
> echo -e "$2@$3\t$crypted" >> credentials
> echo "ejabberdctl register $2 $3 $1"
> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
sql injection on $2 and $3 as "'" isn't escaped by antiyec function
> example php
> function antiyec($data) {
> $data = trim($data);
> $data = stripslashes($data);
> $data = htmlspecialchars($data);
> return $data;
> }
> $user = antiyec($_POST['user']);
> $frase1 = antiyec($_POST['pass']);
> $domain = antiyec($_POST['dom']);
>
> $out = shell_exec('ksh create.sh $frase1 $user $domain');
shell injection on user, pass and dom variables, as ";" isn't escaped by
antiyec function
> echo "$out";
> ?>
>
>
> On 06/01/15 08:50, Gareth Nelson wrote:
> > Everyone is missing the bigger picture here:
> >
> > Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
> > and things should be redesigned so that it's not needed.
> >
yes it is a bad idea.
--
Sébastien Marie
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
This was an example I wrote this email really is not implemented anywhere.
But thanks for observation.
If I decide to put it online. "think of this security issue?
On 06/01/15 10:20, Gareth Nelson wrote:
> my domain is:
> ',); DROP mails;--
>
> Sanitise your inputs
>
> ---
> “Lanie, I’m going to print more printers. Lots more printers. One for
> everyone. That’s worth going to jail for. That’s worth anything.” -
> Printcrime by Cory Doctrow
>
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html
>
> On Mon, Jun 1, 2015 at 6:16 PM, Okupandolared wrote:
>
>> Really you could use php to insert into mysql,
>>
>> but as I need to run ejabberdctl and smtpdctl.
>>
>> I thought it would do everything from bash
>>
>> I have no idea how it could call smtpctl from php, maybe you go look at
>> python.
>>
>> On 06/01/15 10:09, Gareth Nelson wrote:
>>> Why on earth are you using the shell to insert into MySQL?
>>>
>>> I would redesign this whole setup under the guidance of someone more
>>> experienced to be honest, there's MANY mistakes you're making here, and
>>> thus likely other mistakes
>>>
>>> ---
>>> “Lanie, I’m going to print more printers. Lots more printers. One for
>>> everyone. That’s worth going to jail for. That’s worth anything.†-
>>> Printcrime by Cory Doctrow
>>>
>>> Please avoid sending me Word or PowerPoint attachments.
>>> See http://www.gnu.org/philosophy/no-word-attachments.html
>>>
>>> On Mon, Jun 1, 2015 at 4:05 PM, Jiri B wrote:
>>>
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
> Hi,
>
> I have an web form.
>
> I need send of webform to script bash
>
> webform.html --> PHP proces --> create.sh
>
> create.sh
> #!/bin/ksh
> # Create user
>
> echo "hi!! your pass $1"
> crypted="$(echo -n "$1" | smtpctl encrypt )"
> maildir="$3/$2/"
> echo -e "$2@$3" >> recipients
> echo -e "$2@$3\t$crypted" >> credentials
> echo "ejabberdctl register $2 $3 $1"
> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
Hoho, it won't run in chroot, smtpd doesn't have socket
in chroot, same for ejabberctl.
You need to have some lightweight communication
"protocol" between chroot and an app outside which would
sanitize input and do the work.
j.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
my domain is:
',); DROP mails;--
Sanitise your inputs
---
âLanie, Iâm going to print more printers. Lots more printers. One for
everyone. Thatâs worth going to jail for. Thatâs worth anything.â -
Printcrime by Cory Doctrow
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
On Mon, Jun 1, 2015 at 6:16 PM, Okupandolared wrote:
> Really you could use php to insert into mysql,
>
> but as I need to run ejabberdctl and smtpdctl.
>
> I thought it would do everything from bash
>
> I have no idea how it could call smtpctl from php, maybe you go look at
> python.
>
> On 06/01/15 10:09, Gareth Nelson wrote:
> > Why on earth are you using the shell to insert into MySQL?
> >
> > I would redesign this whole setup under the guidance of someone more
> > experienced to be honest, there's MANY mistakes you're making here, and
> > thus likely other mistakes
> >
> > ---
> > ââ¬ÅLanie, Iââ¬â¢m going to print more printers. Lots more printers.
One for
> > everyone. Thatââ¬â¢s worth going to jail for. Thatââ¬â¢s worth
anything.â⬠-
> > Printcrime by Cory Doctrow
> >
> > Please avoid sending me Word or PowerPoint attachments.
> > See http://www.gnu.org/philosophy/no-word-attachments.html
> >
> > On Mon, Jun 1, 2015 at 4:05 PM, Jiri B wrote:
> >
> >> On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
> >>> Hi,
> >>>
> >>> I have an web form.
> >>>
> >>> I need send of webform to script bash
> >>>
> >>> webform.html --> PHP proces --> create.sh
> >>>
> >>> create.sh
> >>> #!/bin/ksh
> >>> # Create user
> >>>
> >>> echo "hi!! your pass $1"
> >>> crypted="$(echo -n "$1" | smtpctl encrypt )"
> >>> maildir="$3/$2/"
> >>> echo -e "$2@$3" >> recipients
> >>> echo -e "$2@$3\t$crypted" >> credentials
> >>> echo "ejabberdctl register $2 $3 $1"
> >>> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> >>> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
> >>
> >> Hoho, it won't run in chroot, smtpd doesn't have socket
> >> in chroot, same for ejabberctl.
> >>
> >> You need to have some lightweight communication
> >> "protocol" between chroot and an app outside which would
> >> sanitize input and do the work.
> >>
> >> j.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
Really you could use php to insert into mysql,
but as I need to run ejabberdctl and smtpdctl.
I thought it would do everything from bash
I have no idea how it could call smtpctl from php, maybe you go look at
python.
On 06/01/15 10:09, Gareth Nelson wrote:
> Why on earth are you using the shell to insert into MySQL?
>
> I would redesign this whole setup under the guidance of someone more
> experienced to be honest, there's MANY mistakes you're making here, and
> thus likely other mistakes
>
> ---
> “Lanie, I’m going to print more printers. Lots more printers. One for
> everyone. That’s worth going to jail for. That’s worth anything.� -
> Printcrime by Cory Doctrow
>
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html
>
> On Mon, Jun 1, 2015 at 4:05 PM, Jiri B wrote:
>
>> On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
>>> Hi,
>>>
>>> I have an web form.
>>>
>>> I need send of webform to script bash
>>>
>>> webform.html --> PHP proces --> create.sh
>>>
>>> create.sh
>>> #!/bin/ksh
>>> # Create user
>>>
>>> echo "hi!! your pass $1"
>>> crypted="$(echo -n "$1" | smtpctl encrypt )"
>>> maildir="$3/$2/"
>>> echo -e "$2@$3" >> recipients
>>> echo -e "$2@$3\t$crypted" >> credentials
>>> echo "ejabberdctl register $2 $3 $1"
>>> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
>>> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
>>
>> Hoho, it won't run in chroot, smtpd doesn't have socket
>> in chroot, same for ejabberctl.
>>
>> You need to have some lightweight communication
>> "protocol" between chroot and an app outside which would
>> sanitize input and do the work.
>>
>> j.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
Why on earth are you using the shell to insert into MySQL?
I would redesign this whole setup under the guidance of someone more
experienced to be honest, there's MANY mistakes you're making here, and
thus likely other mistakes
---
âLanie, Iâm going to print more printers. Lots more printers. One for
everyone. Thatâs worth going to jail for. Thatâs worth anything.â -
Printcrime by Cory Doctrow
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
On Mon, Jun 1, 2015 at 4:05 PM, Jiri B wrote:
> On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
> > Hi,
> >
> > I have an web form.
> >
> > I need send of webform to script bash
> >
> > webform.html --> PHP proces --> create.sh
> >
> > create.sh
> > #!/bin/ksh
> > # Create user
> >
> > echo "hi!! your pass $1"
> > crypted="$(echo -n "$1" | smtpctl encrypt )"
> > maildir="$3/$2/"
> > echo -e "$2@$3" >> recipients
> > echo -e "$2@$3\t$crypted" >> credentials
> > echo "ejabberdctl register $2 $3 $1"
> > echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> > ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
>
> Hoho, it won't run in chroot, smtpd doesn't have socket
> in chroot, same for ejabberctl.
>
> You need to have some lightweight communication
> "protocol" between chroot and an app outside which would
> sanitize input and do the work.
>
> j.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On 01/06/15 18:49, Okupandolared wrote:
> Hi,
>
> I have an web form.
>
> I need send of webform to script bash
>
> webform.html --> PHP proces --> create.sh
>
> create.sh
> #!/bin/ksh
> # Create user
>
> echo "hi!! your pass $1"
> crypted="$(echo -n "$1" | smtpctl encrypt )"
> maildir="$3/$2/"
> echo -e "$2@$3" >> recipients
> echo -e "$2@$3\t$crypted" >> credentials
> echo "ejabberdctl register $2 $3 $1"
> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
>
> example php
> function antiyec($data) {
> $data = trim($data);
> $data = stripslashes($data);
> $data = htmlspecialchars($data);
> return $data;
> }
> $user = antiyec($_POST['user']);
> $frase1 = antiyec($_POST['pass']);
> $domain = antiyec($_POST['dom']);
>
> $out = shell_exec('ksh create.sh $frase1 $user $domain');
> echo "$out";
> ?>
>
Can't tell if trolling or just stupid.
>
> On 06/01/15 08:50, Gareth Nelson wrote:
>> Everyone is missing the bigger picture here:
>>
>> Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
>> and things should be redesigned so that it's not needed.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
> Hi,
>
> I have an web form.
>
> I need send of webform to script bash
>
> webform.html --> PHP proces --> create.sh
>
> create.sh
> #!/bin/ksh
> # Create user
>
> echo "hi!! your pass $1"
> crypted="$(echo -n "$1" | smtpctl encrypt )"
> maildir="$3/$2/"
> echo -e "$2@$3" >> recipients
> echo -e "$2@$3\t$crypted" >> credentials
> echo "ejabberdctl register $2 $3 $1"
> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
Hoho, it won't run in chroot, smtpd doesn't have socket
in chroot, same for ejabberctl.
You need to have some lightweight communication
"protocol" between chroot and an app outside which would
sanitize input and do the work.
j.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
Hi,
I have an web form.
I need send of webform to script bash
webform.html --> PHP proces --> create.sh
create.sh
#!/bin/ksh
# Create user
echo "hi!! your pass $1"
crypted="$(echo -n "$1" | smtpctl encrypt )"
maildir="$3/$2/"
echo -e "$2@$3" >> recipients
echo -e "$2@$3\t$crypted" >> credentials
echo "ejabberdctl register $2 $3 $1"
echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
example php
$out";
?>
On 06/01/15 08:50, Gareth Nelson wrote:
> Everyone is missing the bigger picture here:
>
> Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
> and things should be redesigned so that it's not needed.
>
> ---
> “Lanie, I’m going to print more printers. Lots more printers. One for
> everyone. That’s worth going to jail for. That’s worth anything.� -
> Printcrime by Cory Doctrow
>
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html
>
> On Mon, Jun 1, 2015 at 1:47 PM, dan mclaughlin
> wrote:
>
>> On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse
>> wrote:
>>> On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote:
On Sun, 31 May 2015 22:20:17 -0500 Okupandolared
>> wrote:
> does not exist,
>
> so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami?
>
> that try "ls" and "/bin/ls" and "/var/www/bin/ls"
>
> and it does not work,
> "/bin/ls" exist
> "/var/www/bin/ls" exist
>
> thanks
>
> On 05/31/15 19:43, Zi Loff wrote:
>> On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA256
>>>
>>> I like received variables POST and send to KSH script.
>>>
>>> But it seems that in OpenBSD 5.6 and php-fpm.
>>>
>>> exec() and exec_shell() not working.
>>>
>>> Could anyone help me?
>>>
>>> This link explain in detail what I've tried.
>>>
>>>
>>
> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shel
> l-exec
>>>
>>> thanks
>>
>> If the server is chrooted at "/var/www" then "/usr/bin/whoami"
>> (from the
>> server's point of view) actually means "/var/www/usr/bin/whoami"
>> (from
>> your point of view). Does that file exist?
>
have you tried to copy /bin/sh to /var/www/bin/sh?
>>>
>>> Also, in a chrooted filesystem, every dynamically linked executable
>> needs access
>>> to ld.so and its shared libraries. Which means /var/www/usr/lib and
>>> /var/www/usr/libexec will need files populated -- every binary file
>> should be
>>> checked wiht ldd(1) to ensure required libraries are made available.
>>> shared libraries. Each program should
>>
>> that reminds me, i did a write up on chrooting programs here:
>> https://marc.info/?l=openbsd-misc&m=142676615612510&w=2
>>
>> although it got into more, the basics of setting up a chroot jail are
>> there.
>>
>> i also have a script that adds a binary and its dependencies automatically.
>> i'll have to post it later, since i've actually been meaning to recently.
>> just have to make a few adjustments for portability.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
Everyone is missing the bigger picture here: Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea and things should be redesigned so that it's not needed. --- âLanie, Iâm going to print more printers. Lots more printers. One for everyone. Thatâs worth going to jail for. Thatâs worth anything.â - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html On Mon, Jun 1, 2015 at 1:47 PM, dan mclaughlin wrote: > On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse > wrote: > > On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote: > > > On Sun, 31 May 2015 22:20:17 -0500 Okupandolared > wrote: > > > > does not exist, > > > > > > > > so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami? > > > > > > > > that try "ls" and "/bin/ls" and "/var/www/bin/ls" > > > > > > > > and it does not work, > > > > "/bin/ls" exist > > > > "/var/www/bin/ls" exist > > > > > > > > thanks > > > > > > > > On 05/31/15 19:43, Zi Loff wrote: > > > > > On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: > > > > >> -BEGIN PGP SIGNED MESSAGE- > > > > >> Hash: SHA256 > > > > >> > > > > >> I like received variables POST and send to KSH script. > > > > >> > > > > >> But it seems that in OpenBSD 5.6 and php-fpm. > > > > >> > > > > >> exec() and exec_shell() not working. > > > > >> > > > > >> Could anyone help me? > > > > >> > > > > >> This link explain in detail what I've tried. > > > > >> > > > > >> > http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shel l-exec > > > > >> > > > > >> thanks > > > > > > > > > > If the server is chrooted at "/var/www" then "/usr/bin/whoami" > (from the > > > > > server's point of view) actually means "/var/www/usr/bin/whoami" > (from > > > > > your point of view). Does that file exist? > > > > > > > > > > have you tried to copy /bin/sh to /var/www/bin/sh? > > > > Also, in a chrooted filesystem, every dynamically linked executable > needs access > > to ld.so and its shared libraries. Which means /var/www/usr/lib and > > /var/www/usr/libexec will need files populated -- every binary file > should be > > checked wiht ldd(1) to ensure required libraries are made available. > > shared libraries. Each program should > > that reminds me, i did a write up on chrooting programs here: > https://marc.info/?l=openbsd-misc&m=142676615612510&w=2 > > although it got into more, the basics of setting up a chroot jail are > there. > > i also have a script that adds a binary and its dependencies automatically. > i'll have to post it later, since i've actually been meaning to recently. > just have to make a few adjustments for portability.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse wrote: > On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote: > > On Sun, 31 May 2015 22:20:17 -0500 Okupandolared wrote: > > > does not exist, > > > > > > so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami? > > > > > > that try "ls" and "/bin/ls" and "/var/www/bin/ls" > > > > > > and it does not work, > > > "/bin/ls" exist > > > "/var/www/bin/ls" exist > > > > > > thanks > > > > > > On 05/31/15 19:43, Zi Loff wrote: > > > > On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: > > > >> -BEGIN PGP SIGNED MESSAGE- > > > >> Hash: SHA256 > > > >> > > > >> I like received variables POST and send to KSH script. > > > >> > > > >> But it seems that in OpenBSD 5.6 and php-fpm. > > > >> > > > >> exec() and exec_shell() not working. > > > >> > > > >> Could anyone help me? > > > >> > > > >> This link explain in detail what I've tried. > > > >> > > > >> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec > > > >> > > > >> thanks > > > > > > > > If the server is chrooted at "/var/www" then "/usr/bin/whoami" (from the > > > > server's point of view) actually means "/var/www/usr/bin/whoami" (from > > > > your point of view). Does that file exist? > > > > > > > have you tried to copy /bin/sh to /var/www/bin/sh? > > Also, in a chrooted filesystem, every dynamically linked executable needs > access > to ld.so and its shared libraries. Which means /var/www/usr/lib and > /var/www/usr/libexec will need files populated -- every binary file should be > checked wiht ldd(1) to ensure required libraries are made available. > shared libraries. Each program should that reminds me, i did a write up on chrooting programs here: https://marc.info/?l=openbsd-misc&m=142676615612510&w=2 although it got into more, the basics of setting up a chroot jail are there. i also have a script that adds a binary and its dependencies automatically. i'll have to post it later, since i've actually been meaning to recently. just have to make a few adjustments for portability.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
Corrected for typos. What I'd just Emailed was without any coffee... On Mon, Jun 01, 2015 at 06:05:28AM -0400, Josh Grosse wrote: > Also, in a chrooted filesystem, every dynamically linked executable needs > access > to ld.so and its shared libraries. Which means /var/www/usr/lib and > /var/www/usr/libexec will need files populated -- every binary file should be > checked with ldd(1) to ensure required libraries are made available.
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote: > On Sun, 31 May 2015 22:20:17 -0500 Okupandolared wrote: > > does not exist, > > > > so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami? > > > > that try "ls" and "/bin/ls" and "/var/www/bin/ls" > > > > and it does not work, > > "/bin/ls" exist > > "/var/www/bin/ls" exist > > > > thanks > > > > On 05/31/15 19:43, Zi Loff wrote: > > > On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: > > >> -BEGIN PGP SIGNED MESSAGE- > > >> Hash: SHA256 > > >> > > >> I like received variables POST and send to KSH script. > > >> > > >> But it seems that in OpenBSD 5.6 and php-fpm. > > >> > > >> exec() and exec_shell() not working. > > >> > > >> Could anyone help me? > > >> > > >> This link explain in detail what I've tried. > > >> > > >> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec > > >> > > >> thanks > > > > > > If the server is chrooted at "/var/www" then "/usr/bin/whoami" (from the > > > server's point of view) actually means "/var/www/usr/bin/whoami" (from > > > your point of view). Does that file exist? > > > > have you tried to copy /bin/sh to /var/www/bin/sh? Also, in a chrooted filesystem, every dynamically linked executable needs access to ld.so and its shared libraries. Which means /var/www/usr/lib and /var/www/usr/libexec will need files populated -- every binary file should be checked wiht ldd(1) to ensure required libraries are made available. shared libraries. Each program should
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Sun, 31 May 2015 22:20:17 -0500 Okupandolared wrote: > does not exist, > > so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami? > > that try "ls" and "/bin/ls" and "/var/www/bin/ls" > > and it does not work, > "/bin/ls" exist > "/var/www/bin/ls" exist > > thanks > > On 05/31/15 19:43, Zé Loff wrote: > > On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: > >> -BEGIN PGP SIGNED MESSAGE- > >> Hash: SHA256 > >> > >> I like received variables POST and send to KSH script. > >> > >> But it seems that in OpenBSD 5.6 and php-fpm. > >> > >> exec() and exec_shell() not working. > >> > >> Could anyone help me? > >> > >> This link explain in detail what I've tried. > >> > >> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec > >> > >> thanks > > > > If the server is chrooted at "/var/www" then "/usr/bin/whoami" (from the > > server's point of view) actually means "/var/www/usr/bin/whoami" (from > > your point of view). Does that file exist? > have you tried to copy /bin/sh to /var/www/bin/sh?
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
does not exist, so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami? that try "ls" and "/bin/ls" and "/var/www/bin/ls" and it does not work, "/bin/ls" exist "/var/www/bin/ls" exist thanks On 05/31/15 19:43, Zé Loff wrote: > On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> I like received variables POST and send to KSH script. >> >> But it seems that in OpenBSD 5.6 and php-fpm. >> >> exec() and exec_shell() not working. >> >> Could anyone help me? >> >> This link explain in detail what I've tried. >> >> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec >> >> thanks > > If the server is chrooted at "/var/www" then "/usr/bin/whoami" (from the > server's point of view) actually means "/var/www/usr/bin/whoami" (from > your point of view). Does that file exist?
Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > I like received variables POST and send to KSH script. > > But it seems that in OpenBSD 5.6 and php-fpm. > > exec() and exec_shell() not working. > > Could anyone help me? > > This link explain in detail what I've tried. > > http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec > > thanks If the server is chrooted at "/var/www" then "/usr/bin/whoami" (from the server's point of view) actually means "/var/www/usr/bin/whoami" (from your point of view). Does that file exist? --
How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I like received variables POST and send to KSH script. But it seems that in OpenBSD 5.6 and php-fpm. exec() and exec_shell() not working. Could anyone help me? This link explain in detail what I've tried. http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec thanks iQIcBAEBCAAGBQJVa8TzAAoJELfLKx8XGU93fScP/jd9DDZCR7KegqRfZfnlxgb4 +FK/LckN8ymwzLVqRHtDQHSMQiqDCE/jRRhV1WI8HjWW6bUSIwuteBxGG40BMErZ F9q2b6TKwSqqBl/tPnRbNUIrRL/BoWh80yF9aUPkcC57x2LQbV/gxf9gYq1wq7// KlSgvhNiX6UMYWQGmfYjs70kM/RSgk/5dBfTQ4T3lCr1iv54sjg83vGlagod39SD hWdBPqmvmbG1TpH/YFvyeyLgUy7WyefT/hrLD1Ykb0XiHXdCUphGNprjRaw9K9xI hNwmzgpVd/RpZ8SPme8xFYEhA0qFDOQbhKWEfNSnF4DJS6SoxUyS+oRPmmusjyHA TPKNi+nzEWjV4S4bqNEG3Y84iT+vyhRdsVBZfhRDpFIYbLow4C2Rm7pEjAdF5Iou 2wRiOhiLu3eBtQ1Jz73IaAT8BHs/t7vPZ33wjHv0qY0VV0HShsXj2ryzjkNNjmzg UiOlzVaHvvahfWAo84f5a/3baWzcNuTZyfMEzO+URdgppNvbOqYtXBKjW36a1CDO 4vpRNLA5eCl+BGTUwD/da/5rkboPXy7Ay65Zd2pe8HvvaHH+04Qfo87EUK50pszB YBX5ZajnbkYK7X3fSWTrHVYMv6Qq5y8T7T7kqs/L5b7tPc45q26MPAS5MNFjVuzz PL/yjnHDmXgMIFdeZBZU =ZU9V -END PGP SIGNATURE-
