Re: apache mod_perl + suid question
[EMAIL PROTECTED] wrote: Hello, I am trying to write a password changing program. this article by Lincoln Stein should resolve most of your problems: http://www.samag.com/documents/s=1286/sam03020006/ and no, don't try to disable the taint mode, instead read the perlsec manpage to learn how to make your program run under -T. -- __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
RE: apache mod_perl + suid question
Thanks a lot. That really does help. regards, -Tushar -Original Message- From: Stas Bekman [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 6:36 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: apache mod_perl + suid question [EMAIL PROTECTED] wrote: Hello, I am trying to write a password changing program. this article by Lincoln Stein should resolve most of your problems: http://www.samag.com/documents/s=1286/sam03020006/ and no, don't try to disable the taint mode, instead read the perlsec manpage to learn how to make your program run under -T. -- __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
RE: apache mod_perl + suid question
Vitor, Yes, I get the following error when I use the -T mode: Insecure dependency in `` while running with -T switch at /usr/sbin/usermod_wrapper.pl line 27 Please bear with me, if I am going through your answer again. Please let me know if the following would be the correct way to go: So to get over this problem, I should chown apachectl to the Apache group ? And secondly, if I am running Apache as non-root, then I will have to use the system command ? I cannot use the $ret = `$wrapper` command. Is this true ? Thanks much for your help. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 8:31 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Tushar, It's not recommeded to run apache as root. (Security issues). I have some applications that uses system command under mod_perl without problems. Try to execute you wrapper script in command line. Execute it with /usr/bin/perl -T (tainted mode), that checks if your script is safe. If you got error results, you will know why it's not working. $ret = `$wrapper` , also should work in you configuration (running apache as root). Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 20:13 Para: [EMAIL PROTECTED]; [EMAIL PROTECTED] Assunto: RE: apache mod_perl + suid question Thanks Vitor... I have something very similar to what you mention below..only that I am taking the username and passwd from the apache gui. Then I encrypt the passwd and send that to wrapper(i.e. suid_file) script. So I have something like system($wrapper), where $wrapper = suid_file.pl encrupted passwd username. I changed the suid_file to 4750 and have the ownership and group as root,root. I am also runing Apache as root. I don't have httpd as a user or group. Do I need to ? Also do I need to use the ystem command, can't I just do $ret = `$wrapper` ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Hello Tushar, Try this : $suid_file = file_path/suidfile.pl; $user = nobody; $passwd = kdsak; (system($suid_file,$user,$$passwd)) or die Error in suid operation $! ; Note that suid_file need the following commands : - chmod 4750 - chown root:httpd Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 19:41 Para: [EMAIL PROTECTED] Assunto: apache mod_perl + suid question Hello, I am trying to write a password changing program. For this I have a mod_perl subroutine from where I am trying to execute a perl script(with suid permissions 4711), which is a wrapper and in turn calls the usermod command on linux with the old and new passwords. The problem I am having: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? I know there might be some quirks with suid permissons and I would like to know how can I overcome this. I have something like below from mod_perl subroutine: my $ret_val = `$wrapper`; Within the wrapper perl script, I call usermond with the passwds by doing: $ret = `$usermondcmd 21` Any help would be much appreciated. thanks a lot. -Tushar
RE: apache mod_perl + suid question
Vitor, The thing is also that I can run the wrapper from the command line without the -T switch, and I do succeed, i.e. the password does get changed. Seems like mod_perl by default has the taint mode on. How do I get rid of this taint mode from mod_perl. At present I have the following use calls in mod_perl: use Apache::Constants qw(:common); use Apache::Debug(); use CGI '-autoload'; Do I need to add something here or take out something from here to get rid of the tainted mode ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 8:31 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Tushar, It's not recommeded to run apache as root. (Security issues). I have some applications that uses system command under mod_perl without problems. Try to execute you wrapper script in command line. Execute it with /usr/bin/perl -T (tainted mode), that checks if your script is safe. If you got error results, you will know why it's not working. $ret = `$wrapper` , also should work in you configuration (running apache as root). Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 20:13 Para: [EMAIL PROTECTED]; [EMAIL PROTECTED] Assunto: RE: apache mod_perl + suid question Thanks Vitor... I have something very similar to what you mention below..only that I am taking the username and passwd from the apache gui. Then I encrypt the passwd and send that to wrapper(i.e. suid_file) script. So I have something like system($wrapper), where $wrapper = suid_file.pl encrupted passwd username. I changed the suid_file to 4750 and have the ownership and group as root,root. I am also runing Apache as root. I don't have httpd as a user or group. Do I need to ? Also do I need to use the ystem command, can't I just do $ret = `$wrapper` ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Hello Tushar, Try this : $suid_file = file_path/suidfile.pl; $user = nobody; $passwd = kdsak; (system($suid_file,$user,$$passwd)) or die Error in suid operation $! ; Note that suid_file need the following commands : - chmod 4750 - chown root:httpd Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 19:41 Para: [EMAIL PROTECTED] Assunto: apache mod_perl + suid question Hello, I am trying to write a password changing program. For this I have a mod_perl subroutine from where I am trying to execute a perl script(with suid permissions 4711), which is a wrapper and in turn calls the usermod command on linux with the old and new passwords. The problem I am having: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? I know there might be some quirks with suid permissons and I would like to know how can I overcome this. I have something like below from mod_perl subroutine: my $ret_val = `$wrapper`; Within the wrapper perl script, I call usermond with the passwds by doing: $ret = `$usermondcmd 21` Any help would be much appreciated. thanks a lot. -Tushar
RE: apache mod_perl + suid question
Ahhh...forgot to mention...but the below approach did't work :-( It does not even go into the wrapper script when I use the system command. thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:13 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: apache mod_perl + suid question Thanks Vitor... I have something very similar to what you mention below..only that I am taking the username and passwd from the apache gui. Then I encrypt the passwd and send that to wrapper(i.e. suid_file) script. So I have something like system($wrapper), where $wrapper = suid_file.pl encrupted passwd username. I changed the suid_file to 4750 and have the ownership and group as root,root. I am also runing Apache as root. I don't have httpd as a user or group. Do I need to ? Also do I need to use the ystem command, can't I just do $ret = `$wrapper` ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Hello Tushar, Try this : $suid_file = file_path/suidfile.pl; $user = nobody; $passwd = kdsak; (system($suid_file,$user,$$passwd)) or die Error in suid operation $! ; Note that suid_file need the following commands : - chmod 4750 - chown root:httpd Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 19:41 Para: [EMAIL PROTECTED] Assunto: apache mod_perl + suid question Hello, I am trying to write a password changing program. For this I have a mod_perl subroutine from where I am trying to execute a perl script(with suid permissions 4711), which is a wrapper and in turn calls the usermod command on linux with the old and new passwords. The problem I am having: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? I know there might be some quirks with suid permissons and I would like to know how can I overcome this. I have something like below from mod_perl subroutine: my $ret_val = `$wrapper`; Within the wrapper perl script, I call usermond with the passwds by doing: $ret = `$usermondcmd 21` Any help would be much appreciated. thanks a lot. -Tushar
RE: apache mod_perl + suid question
Thanks Vitor... I have something very similar to what you mention below..only that I am taking the username and passwd from the apache gui. Then I encrypt the passwd and send that to wrapper(i.e. suid_file) script. So I have something like system($wrapper), where $wrapper = suid_file.pl encrupted passwd username. I changed the suid_file to 4750 and have the ownership and group as root,root. I am also runing Apache as root. I don't have httpd as a user or group. Do I need to ? Also do I need to use the ystem command, can't I just do $ret = `$wrapper` ? thanks. -Tushar -Original Message- From: Vitor [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 7:04 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RES: apache mod_perl + suid question Hello Tushar, Try this : $suid_file = file_path/suidfile.pl; $user = nobody; $passwd = kdsak; (system($suid_file,$user,$$passwd)) or die Error in suid operation $! ; Note that suid_file need the following commands : - chmod 4750 - chown root:httpd Regards, Vitor -Mensagem original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Enviada em: sexta-feira, 26 de julho de 2002 19:41 Para: [EMAIL PROTECTED] Assunto: apache mod_perl + suid question Hello, I am trying to write a password changing program. For this I have a mod_perl subroutine from where I am trying to execute a perl script(with suid permissions 4711), which is a wrapper and in turn calls the usermod command on linux with the old and new passwords. The problem I am having: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? I know there might be some quirks with suid permissons and I would like to know how can I overcome this. I have something like below from mod_perl subroutine: my $ret_val = `$wrapper`; Within the wrapper perl script, I call usermond with the passwds by doing: $ret = `$usermondcmd 21` Any help would be much appreciated. thanks a lot. -Tushar
RE: apache mod_perl + suid question
Yes, I am running it as /usr/sbin/usermod. I can run my wrapper with a simple perl script written on linux. The problem appears when I try to run it through the apache mod_perl. thanks. -Tushar -Original Message- From: Philip Mak [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 6:50 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: apache mod_perl + suid question On Fri, Jul 26, 2002 at 06:40:31PM -0400, [EMAIL PROTECTED] wrote: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? Try '/usr/sbin/usermod' instead of 'usermod'. It may be a path issue. Also, 'usermod' might have to be run interactively (rather than reading from standard input), so you may have to create a virtual terminal in order to interface with usermod. (I might be wrong on this, and I can't elaborate further.)
Re: apache mod_perl + suid question
On Fri, Jul 26, 2002 at 06:40:31PM -0400, [EMAIL PROTECTED] wrote: 1: The usermod command doesn't get executed. I have tried debugging this...by having a log file(/usr/local/apache/logs) and the mod_perl process does open the wrapper script..but then does nothing. It does not execute the command. What am I doing wrong ? Try '/usr/sbin/usermod' instead of 'usermod'. It may be a path issue. Also, 'usermod' might have to be run interactively (rather than reading from standard input), so you may have to create a virtual terminal in order to interface with usermod. (I might be wrong on this, and I can't elaborate further.)
