RE: Some wierd problem with mod_perl and Apache
Yes, I have been looking at this site and doing my own debugging via prints etc. I haven;t seen any problem with uptil now with my code and have spent hours debugging this. Would like to know if someone can see any obvious problems here: package Apache::ChangePassword; use strict; use Apache::Constants qw(:common); use CGI '-autoload'; sub handler { my $r = shift; my($oldpass, $newpass1, $confirmpass) = map { param($_) } qw(password newpassword1 confirmpassword); my $user = $r-connection-user; if($user $pass $newpass1 $newpass2) { I authenticate... } make_passwd_screen($r); } The problem is sometimeseven though I enter all the values of the password on the form and press the change passwd button, when I am printin the values of $oldpass/$newpass1/$confirmpass they are all 0. Other times...this works just fine...and I see the printed values. Am I messing with my global variables here ? I don;t seem to think so.but.. Any help is highly appreciated. thanks. -Tushar -Original Message- From: Stas Bekman [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 03, 2002 12:47 PM To: Ged Haywood Cc: modperl Subject: Re: Some wierd problem with mod_perl and Apache Ged Haywood wrote: Hi there, On Fri, 2 Aug 2002 [EMAIL PROTECTED] wrote: sometimes.when I enter the values in the form and click on the change password button, the same screen comes back to me without the change actually happening. After doing this couple of times, I would actually succeed. Have you checked out the Guide? http://perl.apache.org/guide/debug.html BTW, while /guide is still working, the real url is now /docs/1.0/guide/, so I'd rather see people use that, because you should remember that we enter the era of co-existence of mod_perl 1.0 and 2.0, so /guide is not the *only* guide anymore. Moreover parts of the /guide that aren't specific to 1.0 have moved into /docs/general/. __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
RE: Some wierd problem with mod_perl and Apache
Would like to know if someone can see any obvious problems here: package Apache::ChangePassword; use strict; use Apache::Constants qw(:common); use CGI '-autoload'; Well I wouldn't use CGI.pm just to call param(). If I don;t use CGI.pm, it complains during compilation - Undefined subroutine Apache::ChangePassword::param. sometimeseven though I enter all the values [snip] and press the change passwd button, Have you checked that you are getting the expected request from the browser? when I look at the access_log, during the failure caseI don;t see any of the oldpass,newpass,confirmpass being Posted. Does this mean the browser and Apache are not talking to each other some times ? (FYI: this is same with IE or Netscape 6.2) when I am printin the values of $oldpass/$newpass1/$confirmpass they are all 0. Other times...this works just fine... Have you read Sometimes it works...? Yep, I was reading this stuff...and I think I am taking care of my globals. Am I messing with my global variables here ? Have you checked what's in $_ ? Have you tried 'httpd -X' ? No, I haven't done these. I plan to do this next now. thanks a lot. -ushar
Some wierd problem with mod_perl and Apache
I have been trying to debug this for some time, and am not sure what is happening or why it is happening. I have a simple gui that takes in old and new passwd and changes it. For this I have a change password button. Now the problem that I see is sometimes.when I enter the values in the form and click on the change password button, the same screen comes back to me without the change actually happening. After doing this couple of times, I would actually succeed. Why is my form getting resetted sometimes ? It does not make a difference if I use IE or Netscape. Below is the code ...that does most of the work and seems to be the problematic code(this is very similar to the examples given in Stein's and MacEachern's book on Apache modules): package Apache::ChangePassword; use strict; use Apache::Constants qw(:common); use CGI '-autoload'; sub handler { my $r = shift; my($oldpass, $newpass1, $confirmpass) = map { param($_) } qw(password newpassword1 confirmpassword); my $request_uri_go = param('request_uri') || ($r-prev ? $r-prev-uri : cookie('request_uri')); if($user $oldpass $newpass1 $confirmpass) { #Do some authentication. But I never come here the first couple of #times when I click change password } make_passwd_screen($msg, $request_uri_go); return OK; } sub make_passwd_screen { my($msg, $request_uri) = _; print header(), start_html(-title = 'Change Password', -bgcolor = 'white'), h1('Please Change Password'); print h2(font({color = 'red'}, Error: $msg)) if $msg; print start_form(-action = script_name()), table( Tr(td(['Password', password_field(-name = 'password')])), Tr(td(['New Password', password_field(-name = 'newpassword1')])), Tr(td(['Confirm New Password', password_field(-name = 'confirmpassword')])) ), hidden(-name = 'request_uri', -value = $request_uri), submit('Change Password'), p(), end_form(), em('Note: '), Passwords are case sensitive. Passwords sghould be atleast 5 characters in length, and preferably contain a numeral or a special character.BRYour password will BNOT/B be displayed as you type it.; } Any help will be appreciated much :-) thanks. -Tushar
RE: apache mod_perl + suid question
Thanks a lot. That really does help. regards, -Tushar -Original Message- From: Stas Bekman [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 6:36 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: apache mod_perl + suid question [EMAIL PROTECTED] wrote: Hello, I am trying to write a password changing program. this article by Lincoln Stein should resolve most of your problems: http://www.samag.com/documents/s=1286/sam03020006/ and no, don't try to disable the taint mode, instead read the perlsec manpage to learn how to make your program run under -T. -- __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
RE: apache mod_perl + suid question
Vitor, Yes, I get the following error when I use the -T mode: Insecure dependency in `` while running with -T switch at /usr/sbin/usermod_wrapper.pl line 27 Please bear with me, if I am going through your answer again. Please let me know if the following would be the correct way to go: So to get over this problem, I should chown apachectl to the Apache group ? And secondly, if I am running Apache as non-root, then I will have to use the system command ? I cannot use the $ret = `$wrapper` command. Is this true ? Thanks much for your help. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 8:31 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Tushar, It's not recommeded to run apache as root. (Security issues). I have some applications that uses system command under mod_perl without problems. Try to execute you wrapper script in command line. Execute it with /usr/bin/perl -T (tainted mode), that checks if your script is safe. If you got error results, you will know why it's not working. $ret = `$wrapper` , also should work in you configuration (running apache as root). Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 20:13 Para: [EMAIL PROTECTED]; [EMAIL PROTECTED] Assunto: RE: apache mod_perl + suid question Thanks Vitor... I have something very similar to what you mention below..only that I am taking the username and passwd from the apache gui. Then I encrypt the passwd and send that to wrapper(i.e. suid_file) script. So I have something like system($wrapper), where $wrapper = suid_file.pl encrupted passwd username. I changed the suid_file to 4750 and have the ownership and group as root,root. I am also runing Apache as root. I don't have httpd as a user or group. Do I need to ? Also do I need to use the ystem command, can't I just do $ret = `$wrapper` ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Hello Tushar, Try this : $suid_file = file_path/suidfile.pl; $user = nobody; $passwd = kdsak; (system($suid_file,$user,$$passwd)) or die Error in suid operation $! ; Note that suid_file need the following commands : - chmod 4750 - chown root:httpd Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 19:41 Para: [EMAIL PROTECTED] Assunto: apache mod_perl + suid question Hello, I am trying to write a password changing program. For this I have a mod_perl subroutine from where I am trying to execute a perl script(with suid permissions 4711), which is a wrapper and in turn calls the usermod command on linux with the old and new passwords. The problem I am having: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? I know there might be some quirks with suid permissons and I would like to know how can I overcome this. I have something like below from mod_perl subroutine: my $ret_val = `$wrapper`; Within the wrapper perl script, I call usermond with the passwds by doing: $ret = `$usermondcmd 21` Any help would be much appreciated. thanks a lot. -Tushar
RE: apache mod_perl + suid question
Vitor, The thing is also that I can run the wrapper from the command line without the -T switch, and I do succeed, i.e. the password does get changed. Seems like mod_perl by default has the taint mode on. How do I get rid of this taint mode from mod_perl. At present I have the following use calls in mod_perl: use Apache::Constants qw(:common); use Apache::Debug(); use CGI '-autoload'; Do I need to add something here or take out something from here to get rid of the tainted mode ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 8:31 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Tushar, It's not recommeded to run apache as root. (Security issues). I have some applications that uses system command under mod_perl without problems. Try to execute you wrapper script in command line. Execute it with /usr/bin/perl -T (tainted mode), that checks if your script is safe. If you got error results, you will know why it's not working. $ret = `$wrapper` , also should work in you configuration (running apache as root). Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 20:13 Para: [EMAIL PROTECTED]; [EMAIL PROTECTED] Assunto: RE: apache mod_perl + suid question Thanks Vitor... I have something very similar to what you mention below..only that I am taking the username and passwd from the apache gui. Then I encrypt the passwd and send that to wrapper(i.e. suid_file) script. So I have something like system($wrapper), where $wrapper = suid_file.pl encrupted passwd username. I changed the suid_file to 4750 and have the ownership and group as root,root. I am also runing Apache as root. I don't have httpd as a user or group. Do I need to ? Also do I need to use the ystem command, can't I just do $ret = `$wrapper` ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Hello Tushar, Try this : $suid_file = file_path/suidfile.pl; $user = nobody; $passwd = kdsak; (system($suid_file,$user,$$passwd)) or die Error in suid operation $! ; Note that suid_file need the following commands : - chmod 4750 - chown root:httpd Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 19:41 Para: [EMAIL PROTECTED] Assunto: apache mod_perl + suid question Hello, I am trying to write a password changing program. For this I have a mod_perl subroutine from where I am trying to execute a perl script(with suid permissions 4711), which is a wrapper and in turn calls the usermod command on linux with the old and new passwords. The problem I am having: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? I know there might be some quirks with suid permissons and I would like to know how can I overcome this. I have something like below from mod_perl subroutine: my $ret_val = `$wrapper`; Within the wrapper perl script, I call usermond with the passwds by doing: $ret = `$usermondcmd 21` Any help would be much appreciated. thanks a lot. -Tushar
RE: apache mod_perl + suid question
Ahhh...forgot to mention...but the below approach did't work :-( It does not even go into the wrapper script when I use the system command. thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:13 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: apache mod_perl + suid question Thanks Vitor... I have something very similar to what you mention below..only that I am taking the username and passwd from the apache gui. Then I encrypt the passwd and send that to wrapper(i.e. suid_file) script. So I have something like system($wrapper), where $wrapper = suid_file.pl encrupted passwd username. I changed the suid_file to 4750 and have the ownership and group as root,root. I am also runing Apache as root. I don't have httpd as a user or group. Do I need to ? Also do I need to use the ystem command, can't I just do $ret = `$wrapper` ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Hello Tushar, Try this : $suid_file = file_path/suidfile.pl; $user = nobody; $passwd = kdsak; (system($suid_file,$user,$$passwd)) or die Error in suid operation $! ; Note that suid_file need the following commands : - chmod 4750 - chown root:httpd Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 19:41 Para: [EMAIL PROTECTED] Assunto: apache mod_perl + suid question Hello, I am trying to write a password changing program. For this I have a mod_perl subroutine from where I am trying to execute a perl script(with suid permissions 4711), which is a wrapper and in turn calls the usermod command on linux with the old and new passwords. The problem I am having: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? I know there might be some quirks with suid permissons and I would like to know how can I overcome this. I have something like below from mod_perl subroutine: my $ret_val = `$wrapper`; Within the wrapper perl script, I call usermond with the passwds by doing: $ret = `$usermondcmd 21` Any help would be much appreciated. thanks a lot. -Tushar
RE: apache mod_perl + suid question
Thanks Vitor... I have something very similar to what you mention below..only that I am taking the username and passwd from the apache gui. Then I encrypt the passwd and send that to wrapper(i.e. suid_file) script. So I have something like system($wrapper), where $wrapper = suid_file.pl encrupted passwd username. I changed the suid_file to 4750 and have the ownership and group as root,root. I am also runing Apache as root. I don't have httpd as a user or group. Do I need to ? Also do I need to use the ystem command, can't I just do $ret = `$wrapper` ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Hello Tushar, Try this : $suid_file = file_path/suidfile.pl; $user = nobody; $passwd = kdsak; (system($suid_file,$user,$$passwd)) or die Error in suid operation $! ; Note that suid_file need the following commands : - chmod 4750 - chown root:httpd Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 19:41 Para: [EMAIL PROTECTED] Assunto: apache mod_perl + suid question Hello, I am trying to write a password changing program. For this I have a mod_perl subroutine from where I am trying to execute a perl script(with suid permissions 4711), which is a wrapper and in turn calls the usermod command on linux with the old and new passwords. The problem I am having: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? I know there might be some quirks with suid permissons and I would like to know how can I overcome this. I have something like below from mod_perl subroutine: my $ret_val = `$wrapper`; Within the wrapper perl script, I call usermond with the passwds by doing: $ret = `$usermondcmd 21` Any help would be much appreciated. thanks a lot. -Tushar
RE: apache mod_perl + suid question
Yes, I am running it as /usr/sbin/usermod. I can run my wrapper with a simple perl script written on linux. The problem appears when I try to run it through the apache mod_perl. thanks. -Tushar -Original Message- From: Philip Mak [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 6:50 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: apache mod_perl + suid question On Fri, Jul 26, 2002 at 06:40:31PM -0400, [EMAIL PROTECTED] wrote: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? Try '/usr/sbin/usermod' instead of 'usermod'. It may be a path issue. Also, 'usermod' might have to be run interactively (rather than reading from standard input), so you may have to create a virtual terminal in order to interface with usermod. (I might be wrong on this, and I can't elaborate further.)
apache mod_perl + suid question
Hello, I am trying to write a password changing program. For this I have a mod_perl subroutine from where I am trying to execute a perl script(with suid permissions 4711), which is a wrapper and in turn calls the usermod command on linux with the old and new passwords. The problem I am having: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? I know there might be some quirks with suid permissons and I would like to know how can I overcome this. I have something like below from mod_perl subroutine: my $ret_val = `$wrapper`; Within the wrapper perl script, I call usermond with the passwds by doing: $ret = `$usermondcmd 21` Any help would be much appreciated. thanks a lot. -Tushar