Hello there, It's quite off-topic, but I'm using freebsd-stable,so The priblem is - running a script that requires root privileges via PHP (or probably CGI - I do not care, just want it to be secure and working). It's all about minidlna service (I use upnp to so mediatomb and other are no options). On FreeBSD it should be resync-ed manually, so I've got a simple script placed in /etc/periodic/daily: more 957.dlna_update #!/bin/sh #Script to daily update minidlna DB a="$*" if (/usr/local/etc/rc.d/minidlna stop 1>/dev/null);then sleep 10 if /usr/local/etc/rc.d/minidlna rescan;then /usr/bin/logger -t minidlna "DB updated." exit 0 else /usr/bin/logger -t minidlna "Error. Failed to update DB." exit 1 fi else /usr/bin/logger -t minidlna "Error. Failed to update DB." exit 1 fi And it's working fine to me. But it uses service infrastructure. So when I'm trying to run via PHP it fails. For example running under unprivileged user: id uid=1001(amd_miek) gid=0(wheel) groups=0(wheel),5(operator) -rwsr-sr-x 1 root wheel 394 27 ??? 10:58 957.dlna_update* sh -x 957.dlna_update + a='' + /usr/local/etc/rc.d/minidlna stop kill: 10786: Operation not permitted + /usr/bin/logger -t minidlna 'Error. Failed to update DB.' + exit 1 What is the best way to run it via WEB?
On Fri, 27 Sep 2013 11:18:40 +0200, Michael BlackHeart <amdmiek at gmail.com> wrote:> Hello there, > It's quite off-topic, but I'm using freebsd-stable,so > > The priblem is - running a script that requires root privileges via PHP > (or > probably CGI - I do not care, just want it to be secure and working). > > It's all about minidlna service (I use upnp to so mediatomb and other are > no options). On FreeBSD it should be resync-ed manually, so I've got a > simple script placed in /etc/periodic/daily: > > more 957.dlna_update > #!/bin/sh > #Script to daily update minidlna DB > > a="$*" > > if (/usr/local/etc/rc.d/minidlna stop 1>/dev/null);then > sleep 10 > if /usr/local/etc/rc.d/minidlna rescan;then > /usr/bin/logger -t minidlna "DB updated." > exit 0 > else > /usr/bin/logger -t minidlna "Error. Failed to update DB." > exit 1 > fi > else > /usr/bin/logger -t minidlna "Error. Failed to update DB." > exit 1 > fi > > And it's working fine to me. But it uses service infrastructure. So when > I'm trying to run via PHP it fails. For example running under > unprivileged > user: > > id > uid=1001(amd_miek) gid=0(wheel) groups=0(wheel),5(operator) > > -rwsr-sr-x 1 root wheel 394 27 ??? 10:58 957.dlna_update* > > sh -x 957.dlna_update > + a='' > + /usr/local/etc/rc.d/minidlna stop > kill: 10786: Operation not permitted > + /usr/bin/logger -t minidlna 'Error. Failed to update DB.' > + exit 1 > > What is the best way to run it via WEB?You can't setuid a shell script. The executable actually is '/bin/sh' which just reads the shell script. So you should setuid /bin/sh which is a security problem. You can use sudo to do this. (/usr/ports/security/sudo) Ronald.
Hi-- On Sep 27, 2013, at 2:18 AM, Michael BlackHeart <amdmiek at gmail.com> wrote:> Hello there, > It's quite off-topic, but I'm using freebsd-stable,so > > The priblem is - running a script that requires root privileges via PHP (or > probably CGI - I do not care, just want it to be secure and working).Unfortunately the combination of PHP, doing something which needs root, and security are inherently contradictory. The least risky approach would be to invoke the needed command via sudo, or possibly a small setuid-root C wrapper program which launches only the needed script with root permissions. Use sudo unless your C wrapper is careful enough to use exec() and not system(), sanitizes $PATH and other env variables, and guards against games with $IFS, shell metachars, and such. Regards, -- -Chuck
On Fri, 27 Sep 2013 23:50:02 +0200, Charles Swiger <cswiger at mac.com> wrote:> Hi-- > > On Sep 27, 2013, at 2:18 AM, Michael BlackHeart <amdmiek at gmail.com> > wrote: >> Hello there, >> It's quite off-topic, but I'm using freebsd-stable,so >> >> The priblem is - running a script that requires root privileges via PHP >> (or >> probably CGI - I do not care, just want it to be secure and working). > > Unfortunately the combination of PHP, doing something which needs root, > and > security are inherently contradictory. > > The least risky approach would be to invoke the needed command via sudo, > or > possibly a small setuid-root C wrapper program which launches only the > needed script > with root permissions. Use sudo unless your C wrapper is careful enough > to use > exec() and not system(), sanitizes $PATH and other env variables, and > guards against > games with $IFS, shell metachars, and such. > > Regards,Use sudo, because your home grown C wrapper will make all the mistakes which are already solved in sudo. Or will be spotted in the future in sudo and will never be spotted in your program. Chances are high that future requirements of your C wrapper will turn it in a little sudo. Ronald.