I am using Apache 2.4 on Ubuntu. I have written one module in C language and integrated it into Apache server using Apache Extension tools (apxs). There is some part of my code where I am calling executable using exec function but I want to call that executable as superuser. so I want to run my module with superuser privileges but by default Apache is running as www-data user and asking for password for www-data.
Is there any way to run this module using superuser privileges?
Otherwise is there any other way to run root command in C within Apache module?
Is it possible to use suExec module for this?
No, it's not possible to run the Apache module under a different user from the Apache server itself. But there are several strategies to workaround that limitation.
1) You can set the "setuid bit" on the executable you want to run from Apache, like this:
chown root:root executable
chmod 06755 executable
Then, when you run this executable (say, with fork + exec or with system) from the Apache module, the executable will run from under the root user, with root permissions.
2) You can configure the /etc/sudoers file in a way that will allow the www-data to run the executable in question with the root priviledges with the help of the sudo command.
3) You can have a separate process running with root priviledges and receiving commands from the Apache module with any kind of IPC/RPC.
Please note, that you should avoid using the root priviledges if it all possible since running your code under root might pose a security risk. Unless, of course, you're absolutely sure that your code won't have any bugs.
Related
I'm trying to remotely launch and debug a new process with lldb without much success.
Attaching to an already launched process works well by running these commands:
process connect <url>
process attach -P gdb-remote --pid <pid>
But if I want debugserver to launch the executable by itself I'm running into troubles. Especially, I have no clue what arguments should I pass to target create.
According to this page LLDB "will transparently take care of [..] downloading the executable in order to be able to debug", yet target create seem to always require a local file. If I specify the remote file via -r I get either unable to open target file or remote --> local transfer without local path is not implemented yet errors. If I set the target to a local file (such as a local copy of the remote's loader executable) without using -r, then attempt to run process launch -p gdb-remote -s <remote path> LLDB will attempt running the local path on the remote machine and fail.
What are the correct commands I need to use in order to launch a remote process?
After contacting LLDB's mailing list Greg updated the documentation page, which now clearly explains what I have to do (Specifically I was missing the script lines, which appear to be the correct way to set the remote executable path)
I have an install target in my Makefile and wish to run some commands that install shared libraries(requires root permissions) and some that install config files into $HOME/.config
Usually I'd just tell the user to run sudo make install, however that results in the config file being installed to /root/.config instead of the actual users config directory.
How do I work around this issue?
Thanks alot.
You can just change the owner and permissions of the config files, although a Makefile that installs per user configuration files, is not a good idea because it would ideally need to find out how many users exist on the system to install the files for each user.
If you use the install command, you could even do
install -v -m644 -o$(USERNAME) -g$(USERGROUP) $(FILE) $(USERHOME)/.config/$(FILE)
A better approach would be to let the program install the default config files from a system wide directory when it doesn't find them, for example
/usr/share/my-application/default-config/config.conf
and then the program would search for the files in the appropriate directoy and copy them to the $HOME directory of the user that is currently running the program, that if the files are modifiable by the user, otherwise you just access them from their system-wide location.
I would like to know the answers and explanation to the following questions:
Which user/group should own the cake files?
If different, which user/group should own the app/tmp folder? (and subfolders)
With the right user/group, what are the correct permissions for production of both folders and files? (which also if set correctly should work on development)
Where is storing of uploaded files done and what ownership/permissions need to be set to that folder. Where should it be relative to app/?
I know 777 fixes errors, but I would like to set it up correctly.
I have heard 660 should be more than enough for production if everything is correctly set up.
Who needs to have read access, who needs to have write access and does anyone need execute?
NOTE: I think I have found the answers and since no one has written a good answer, I will write it.If you are more knowledgeable on the topic and see errors or security issues please let me know, I will correct them.
1) CakePHP ownership
The CakePHP files should be owned by you, the user of the machine (whatever you log in with). Do not have root as owner!
OSX: the johnsmith part of /Users/johnsmith
Linux: the johnsmith part of /home/johnsmith
2) app/tmp ownership.
As per CakePHP documentation:
...make sure the directory app/tmp and all its subdirectories in your
cake installation are writable by the web server user.
Option 1:
The user owner needs to be apache's user. The group owner can be the group that you belong to, so that you also have access to this folder through finder/CLI. Do not have root as owner!
OSX: Apache is preinstalled on OSX lately and the default user of apache is _www. However if you are not sure you can find it out by typing terminal ps aux | grep httpd while apache runs. The last line is the command you just typed, so look above it.
Now that you know your apache user, you have to assign it to app/tmp/. You do this with the following command: sudo chown -R _www app/tmp/
Linux: The default user on linux is usually www-data with group www-data. If you are not sure, use ps aux | grep httpd to find out the user and sudo chown -R _www app/tmp/ to assign ownership to apache of that folder.
Option 2:
You can keep yourself as the user owner, but you set up the group owner to be the a group that apache belongs to. By default apache has it's own group, but you could create a new group and add apache to it.
OSX: The group of apache on OSX by default is the same os the user: _www. You then have to run the following command to se up the ownership: sudo chown -R :_www app/tmp/. Now if you check the permissions with ls -l you should see both your username (johnsmith) and the new group owner - _www.
Linux:* By default the group of apache is www-data so use the same commands to change ownership: sudo chown -R :www-data app/tmp/.
NOTE: Debian/Ubuntu use www-data, while CentOS uses apache.
3) Permissions
For the site to run, apache needs read and write without execute. For you to access it (assuming you are in the group that owns app/tmp) you also need read and write if you will edit manually things with terminal/finder. All other users should have no rights whatsoever. So:
OSX&Linux: sudo chmod -R 660 app/tmp/. The -R part is to do it recursively for all inside folders. The first 6 is for the user owner (OSX:_www or Linux:www-data), the second 6 is for the group owner (OSX:staff or Linux: johnsmith), the 0 is for all other users/guests.
NOTE: According to this pull request for CakePHP it looks like CakePHP 2.4 will have ability to create subfolders in app/tmp/ which means it will need a 7 instead of 6 for the user now becoming 760.
4) Uploads folder
If you want to upload files, you need a similar setup for the img/uploads folder, or wherever you upload. The ownership will be the same, but the permissions need to have execute rights for renaming purposes and folder creation. so the previously 660 should now be 760. Also, ideally, the uploads are out of the webroot/ directory, for which an absolute path is required.
For all files in app/tmp and subfolders you only need rw for the web server process and if needed to use the CLI, the console user.
If someone runs console commands with a user that has super rights or is in the wrong group it messes up things because what one creates can't be read or written from the other and then there are warning or failure messages. Some people (including me when I'm too lazy) fix that with 777 :)
I'm programming application using libpcap. when I debug the application in normal mode, pcap cannot get the network device. it seems that I have to debug the application in root.
How can I debug the application in root? I have the root password.
I think eclipse has such an option that can add root for the debugging application,but I don't know how to do it.
please help.
Enable your user to run gdb as root without being asked for any
password:
sudo visudo
Add the following line after all other rules:
<youruser> ALL=(root) NOPASSWD:/usr/bin/gdb
Create or modify a debug configuration in eclipse to run gdb as root
e.g. in Run > Debug Configurations > C/C++ Application > YourProject Debug:
change Debugger > Main > GDB debugger from gdb to sudo -u <youruser> gdb
Update (and warning!):
In his comment nategoose pointed out that this answer should come with a warning:
Enabling a user to use sudo for gdb like suggested in my answer in fact gives admin privileges to him/her which in many cases might be an undesired side effect. I therefore consider the answer appropriate in an environment where it's not assumed that the user would try to harm the system (e.g. it's your own personal computer or a virtual machine)
For a multi-(non-trusted)-user environment I think it might be a better idead to utilize unix' file capabilities to enable gdb to debug an application without the need of admin privileges
You can use gdbserver on localhost to attach a existing process, the following is the command line:
sudo gdbserver :<listening port> --attach <pid>
Or you can create a new process using gdbserver:
sudo gdbserver :<listening port> <process executable>
Then you can create a debugging configuration in Eclipse, in the debugger tab, the debugger item, select gdbserver, and input the listening port in the connection tab in the bellow.
Launch Eclipse with sudo (just for completeness: http://www.eclipse.org/forums/index.php?t=msg&goto=516838&)
Update: Follow xmoex solution. If you run Eclipse as root (ie. using sudo) your files will be root-owned... which you probably don't want.
Another solution is to grant you (or the gdb executable) the rights to make some pcap captures as mentioned here. With something like this :
setcap cap_net_raw,cap_net_admin=eip /usr/bin/gdb
you should be able to allow to capture packets to gdb without being root.
Here's how I did it:
Create a C/C++ Remote Application
On the target, make sure your sudo does not prompt for a PW
Look at Debug Configurations → Debugger → Port number
Edit Debug Configurations → Main → Commands to execute before application
Change to:
sudo gdbserver :<port number> <path to application>;exit #
This will basically run the gdbserver that would normally be executed by eclipse inside the sudo, the trailing '#' will keep the eclipse command from executing.
this question was asked a long time ago but if this will help to anybody I open a bug in bugzilla and this short thread solved the problem:
bugzilla bug
From the console in the directory with your executable:
sudo gdb ./my_program
If eclipse supports remote debugging then you could do that even though it is running locally.
From the console:
sudo gdbserver localhost:<port_number> ./my_program
And then tell Eclipse the address (localhost and the port number you chose).
Oh yeah, you said the reason you were doing this was because you were using libpcap, so you may not want to use remote debugging over TCP because you may end up capturing your debugging connection packets in addition to your other network traffic.
In that case you do your remote (but really local) debugging over a serial port. I have never done this on a local machine, but you could use two actual serial ports (attaching them though a null modem) or try using a psudoterminal:
sudo gdbserver /dev/ptmx ./my_program
This will create the psudo-terminal under /dev/pts/ but you'll have to figure out the name of it, and it might also create it with restrictive permissions. You can get around those. Unless you are running lots of terminal windows as root, it is not likely that you have many entries under /dev/pts that belong to root, so take note of the one that does after running the above command and then sudo chmod or sudo chown it to make it usable for your normal user and then tell your debugger to use that as your serial connection to your remote debugging target.
easiest way, try sudo ./eclipse, then debug as usual
We are trying to bind a Linux machine (debian 4.0) to W2k3 AD. We have configured kerberos properly so that we can get TGTs. And users authenticate properly. However, PAM seems to be the sticky wicket. For example when we try to SSH to the linux machine as one of the AD users, the authentication succeeds (as per the auth.log) but I never get shell. The default environment is configured properly and PAM even creates the Homedir properly. As a reference we were loosely following:
https://help.ubuntu.com/community/ActiveDirectoryHowto
If you're confident everything but PAM works correctly, I suggest passing the debug option to pam_krb5.so to see if that gives a clue to what's happening.
I'd also suggest verifying that nss-ldap is set up correctly using
getent passwd avalidusername
I have used Likewise to do something similar on our servers. Here is the process we use to configure it:
Install Likewise:
$ sudo apt-get update
$ sudo apt-get install likewise-open
Join the domain (Assuming the domain "domain.local")
$ sudo domainjoin-cli join domain.local Administrator
$ sudo update-rc.d likewise-open defaults
$ sudo /etc/init.d/likewise-open start
Assuming you are using sudo AND want AD users to be able to have sudoer powers, you need to edit the sudoers file. This can be done with following command:
$ sudo visudo
then add the following to the end of the file (this assumes the domain "DOMAIN" and all the users that should have sudo are in a group called "linux_admin" in active directory):
%DOMAIN\\linux_admin ALL=(ALL) ALL
POSIX accounts demand that you have a vaild shell set in the user account. When using LDAP, this is referenced by the attribute loginShell. You need to use PAM and map an appropriate attribute to loginShell in your configuration, or active MS services for UNIX on the DC, which will extend the AD schema to include the needed POSIX attributes.
See http://www.ietf.org/rfc/rfc2307.txt as a reference to RFC2307, which defines this for LDAP.
A simple solution.. pam_krb5+ldap project
A fork of the pam_krb5 PAM module that provides a very easy to use configuration for utilizing linux client authentication against and existing Active directory domain and/or OpenLDAP server.