+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 22
Web Development Thread, shell_exec in Coding and Web Development; I'm playing about with squid at the minute (on a Ubuntu server OS) and am very pleased with what it ...
  1. #1

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242

    shell_exec

    I'm playing about with squid at the minute (on a Ubuntu server OS) and am very pleased with what it can do. It seems the last thing I want it to do is the one I am having most difficulty with.

    I want to be able to restart squid from a web page (which is served from the same server).

    Something like
    Code:
    shell_exec('/etc/init.d/squid restart')
    This doesn't work though because of permissions. Can anybody help me achieve this please?

  2. #2

    Join Date
    Jan 2008
    Posts
    51
    Thank Post
    1
    Thanked 2 Times in 2 Posts
    Rep Power
    15

    Squid

    Could you use webmin ?

  3. #3

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    I could use webmin but I want this to work from a custom web script that I have designed.

  4. #4

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,867
    Thank Post
    412
    Thanked 778 Times in 651 Posts
    Rep Power
    182
    Is this PHP? You'll have to relax some of the safety in php.ini to shell out in the first place. However, even then your shell command will run as a non-privileged user, so you won't be able to restart squid from there.

    You could:

    - run apache as root (baaad)
    - add apache to the root group (baaad)
    - [ame=http://en.wikipedia.org/wiki/Setuid]setuid[/ame] /etc/init.d/squid to run as root (baaad)

    I think you see the pattern. You're gambling with remote code exploits here, which is why apache isn't set up like this in the first place. But if you want to go ahead, choose one of the above (I'd go with setuid myself, it's the most minimal solution.)
    Last edited by powdarrmonkey; 4th February 2009 at 12:07 PM.

  5. #5

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    The server is not open to the outside world and this script will be hidden behind an ldap authentication anyways.

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    Quote Originally Posted by powdarrmonkey View Post
    Is this PHP? You'll have to relax some of the safety in php.ini to shell out in the first place. However, even then your shell command will run as a non-privileged user, so you won't be able to restart squid from there.

    You could:

    - run apache as root (baaad)
    - add apache to the root group (baaad)
    - setuid /etc/init.d/squid to run as root (baaad)

    I think you see the pattern. You're gambling with remote code exploits here, which is why apache isn't set up like this in the first place. But if you want to go ahead, choose one of the above (I'd go with setuid myself, it's the most minimal solution.)

    I have a slightly safer idea. If you give your php user sudo access to /etc/init.d/squid. then even if someone got in, the only think they'd be able to do is stop and start squid.

  7. #7

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    Quote Originally Posted by Geoff View Post
    I have a slightly safer idea. If you give your php user sudo access to /etc/init.d/squid. then even if someone got in, the only think they'd be able to do is stop and start squid.
    How? visudo?

  8. #8

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    As I recall, apache runs as www-data on ubuntu. Thus if you alter /etc/sudoers like so:

    Code:
    www-data = NOPASSWD: /etc/init.d/squid
    then if you 'su' to www-data, you should be able to stop/start squid.

    For the PHP bit, your on your own.

  9. #9

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    Quote Originally Posted by Geoff View Post
    As I recall, apache runs as www-data on ubuntu. Thus if you alter /etc/sudoers like so:

    Code:
    www-data = NOPASSWD: /etc/init.d/squid
    then if you 'su' to www-data, you should be able to stop/start squid.

    For the PHP bit, your on your own.
    Just put exactly that line in the file and now I get
    Code:
    >>> sudoers file: syntax error, line 16 <<<
    sudo: parse error in /etc/sudoers near line 16
    Can't get back into file to change it back

  10. #10

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    I think you missed out the ALL?

    Code:
    ALL = NOPASSWD:....

  11. #11

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    'ALL' means all users, probably not what you intended.

  12. #12

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    What I have is
    Code:
    %www-data ALL=NOPASSWD: /etc/init.d/squid3
    I have logged in as ww-data and tried restarting the squid server - apparently it went through successfully but it doesn't update my ACL's until I restart the server as root.
    Last edited by Hightower; 4th February 2009 at 03:11 PM.

  13. #13

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    Ok, I didn't know you wanted to do that. Allow www-data to run the following:

    Code:
    squid -k reconfigure

  14. #14

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    Just stick that in the same line as my code?

  15. #15

    Hightower's Avatar
    Join Date
    Jun 2008
    Location
    Cloud 9
    Posts
    4,920
    Thank Post
    494
    Thanked 690 Times in 444 Posts
    Rep Power
    242
    I tried this line
    Code:
    %www-data ALL=NOPASSWD: squid3 -k reconfigure
    but it didn't work (broke the sudoers file again).

    What should I be entering?



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •