[Za-pm] Using perl to call a bash script

Oskar Pearson oskar at qualica.com
Tue May 13 02:22:23 CDT 2003


Hi

> Okay will try that, no time tonite though. The backtic php thing never worked 
> for me gave me an error, I tried rectifing it in php but never got it right. 
> I can see where you are going and will give it a bash in the morning, can I 
> call root stuff like this though, like /var/log/syslog has root permissions. 
> Doesnt matter if you change it soon as the system writes to it it gets root 
> perms again. Can your way pull from a root group user syslog file? 
> Nonetheless, I'll experiment.


When you run a cgi, it runs as the user that the web server is running
as. If you run apache, the 'User' and 'Group' options tell the server
who to run as.

oskar at core1:~/Mail/p$ grep -i '^User' /etc/apache/httpd.conf
User www-data
oskar at core1:~/Mail/p$ grep -i '^Group' /etc/apache/httpd.conf
Group www-data
oskar at core1:~/Mail/p$

What's probably happening is that the command is not able to
access the /var/log/syslog files as this user.

There are a couple options here:


1) Create a "setuid script".
2) Change the user and group that the webserver runs as.
3) Change the readability of the log file so that anyone
can read it.


Covered in turn:

1) If you're interested, you can figure out setuid stuff in
perl. Some possible links (not read any of them - just did a
quick google) are at http://heap.nologin.net/programming.html

You'll need to read "man perlsec" too, and put something like
the following at the top of the script

#!/usr/bin/perl -wT

$< = $>;
$( = $);
$ENV{PATH} = "/usr/bin:/bin";

Check "man perlsec" for more info.

2) I'd not suggest this. Exploits occasionally come out for
things like apache that allow users to get "www-data" access. If
you change this to root, then hackers have root access if they
can exploit your box.


3) Change the log permissions.

Depending on your system, things like "logrotate" may change
the permissions back. You'll possibly need to configure things
so that the mode etc are correct. man logrotate says

create mode owner group
      Immediately after rotation (before the postrotate script is run) the log file is created (with the same name as the log file
      just  rotated).  mode specifies the mode for the log file in octal (the same as chmod(2)), owner specifies the user name who
      will own the log file, and group specifies the group the log file will belong to. Any of the  log  file  attributes  may  be
      omitted,  in  which case those attributes for the new file will use the same values as the original log file for the omitted
      attributes. This option can be disabled using the nocreate option.

Hope this helps!

Oskar



More information about the Za-pm mailing list