RES: apache mod_perl + suid question
Insecure dependency in `` while running with -T switch at /usr/sbin/usermod_wrapper.pl line 27 These means that you can't use ``. You need to use system command. $command = /path/you/need; system($command); All the additional vars need to be passed through vars : $var1 = login; $var2 = password: system($command,$var1,$var2); If it does not run under -T switch, will not run in mod_perl. So to get over this problem, I should chown apachectl to the Apache group ? No. And secondly, if I am running Apache as non-root, then I will have to use the system command ? I cannot use the $ret = `$wrapper` command. Is this true ? Even running apache as root, you need to follow the tainted mode rules. Regards, Vitor -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 8:31 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Tushar, It's not recommeded to run apache as root. (Security issues). I have some applications that uses system command under mod_perl without problems. Try to execute you wrapper script in command line. Execute it with /usr/bin/perl -T (tainted mode), that checks if your script is safe. If you got error results, you will know why it's not working. $ret = `$wrapper` , also should work in you configuration (running apache as root). Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 20:13 Para: [EMAIL PROTECTED]; [EMAIL PROTECTED] Assunto: RE: apache mod_perl + suid question Thanks Vitor... I have something very similar to what you mention below..only that I am taking the username and passwd from the apache gui. Then I encrypt the passwd and send that to wrapper(i.e. suid_file) script. So I have something like system($wrapper), where $wrapper = suid_file.pl encrupted passwd username. I changed the suid_file to 4750 and have the ownership and group as root,root. I am also runing Apache as root. I don't have httpd as a user or group. Do I need to ? Also do I need to use the ystem command, can't I just do $ret = `$wrapper` ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Hello Tushar, Try this : $suid_file = file_path/suidfile.pl; $user = nobody; $passwd = kdsak; (system($suid_file,$user,$$passwd)) or die Error in suid operation $! ; Note that suid_file need the following commands : - chmod 4750 - chown root:httpd Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 19:41 Para: [EMAIL PROTECTED] Assunto: apache mod_perl + suid question Hello, I am trying to write a password changing program. For this I have a mod_perl subroutine from where I am trying to execute a perl script(with suid permissions 4711), which is a wrapper and in turn calls the usermod command on linux with the old and new passwords. The problem I am having: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? I know there might be some quirks with suid permissons and I would like to know how can I overcome this. I have something like below from mod_perl subroutine: my $ret_val = `$wrapper`; Within the wrapper perl script, I call usermond with the passwds by doing: $ret = `$usermondcmd 21` Any help would be much appreciated. thanks a lot. -Tushar
RES: apache mod_perl + suid question
I think you can't get out of tainted mode under mod_perl. You will have a big security role if you quit tainted mode. Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sábado, 27 de julho de 2002 12:06 Para: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Assunto: RE: apache mod_perl + suid question Vitor, The thing is also that I can run the wrapper from the command line without the -T switch, and I do succeed, i.e. the password does get changed. Seems like mod_perl by default has the taint mode on. How do I get rid of this taint mode from mod_perl. At present I have the following use calls in mod_perl: use Apache::Constants qw(:common); use Apache::Debug(); use CGI '-autoload'; Do I need to add something here or take out something from here to get rid of the tainted mode ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 8:31 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Tushar, It's not recommeded to run apache as root. (Security issues). I have some applications that uses system command under mod_perl without problems. Try to execute you wrapper script in command line. Execute it with /usr/bin/perl -T (tainted mode), that checks if your script is safe. If you got error results, you will know why it's not working. $ret = `$wrapper` , also should work in you configuration (running apache as root). Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 20:13 Para: [EMAIL PROTECTED]; [EMAIL PROTECTED] Assunto: RE: apache mod_perl + suid question Thanks Vitor... I have something very similar to what you mention below..only that I am taking the username and passwd from the apache gui. Then I encrypt the passwd and send that to wrapper(i.e. suid_file) script. So I have something like system($wrapper), where $wrapper = suid_file.pl encrupted passwd username. I changed the suid_file to 4750 and have the ownership and group as root,root. I am also runing Apache as root. I don't have httpd as a user or group. Do I need to ? Also do I need to use the ystem command, can't I just do $ret = `$wrapper` ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Hello Tushar, Try this : $suid_file = file_path/suidfile.pl; $user = nobody; $passwd = kdsak; (system($suid_file,$user,$$passwd)) or die Error in suid operation $! ; Note that suid_file need the following commands : - chmod 4750 - chown root:httpd Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 19:41 Para: [EMAIL PROTECTED] Assunto: apache mod_perl + suid question Hello, I am trying to write a password changing program. For this I have a mod_perl subroutine from where I am trying to execute a perl script(with suid permissions 4711), which is a wrapper and in turn calls the usermod command on linux with the old and new passwords. The problem I am having: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? I know there might be some quirks with suid permissons and I would like to know how can I overcome this. I have something like below from mod_perl subroutine: my $ret_val = `$wrapper`; Within the wrapper perl script, I call usermond with the passwds by doing: $ret = `$usermondcmd 21` Any help would be much appreciated. thanks a lot. -Tushar
RES: apache mod_perl + suid question
Tushar, It's not recommeded to run apache as root. (Security issues). I have some applications that uses system command under mod_perl without problems. Try to execute you wrapper script in command line. Execute it with /usr/bin/perl -T (tainted mode), that checks if your script is safe. If you got error results, you will know why it's not working. $ret = `$wrapper` , also should work in you configuration (running apache as root). Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 20:13 Para: [EMAIL PROTECTED]; [EMAIL PROTECTED] Assunto: RE: apache mod_perl + suid question Thanks Vitor... I have something very similar to what you mention below..only that I am taking the username and passwd from the apache gui. Then I encrypt the passwd and send that to wrapper(i.e. suid_file) script. So I have something like system($wrapper), where $wrapper = suid_file.pl encrupted passwd username. I changed the suid_file to 4750 and have the ownership and group as root,root. I am also runing Apache as root. I don't have httpd as a user or group. Do I need to ? Also do I need to use the ystem command, can't I just do $ret = `$wrapper` ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Hello Tushar, Try this : $suid_file = file_path/suidfile.pl; $user = nobody; $passwd = kdsak; (system($suid_file,$user,$$passwd)) or die Error in suid operation $! ; Note that suid_file need the following commands : - chmod 4750 - chown root:httpd Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 19:41 Para: [EMAIL PROTECTED] Assunto: apache mod_perl + suid question Hello, I am trying to write a password changing program. For this I have a mod_perl subroutine from where I am trying to execute a perl script(with suid permissions 4711), which is a wrapper and in turn calls the usermod command on linux with the old and new passwords. The problem I am having: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? I know there might be some quirks with suid permissons and I would like to know how can I overcome this. I have something like below from mod_perl subroutine: my $ret_val = `$wrapper`; Within the wrapper perl script, I call usermond with the passwds by doing: $ret = `$usermondcmd 21` Any help would be much appreciated. thanks a lot. -Tushar