I had exactly this problem. I wanted scripts run by apache to do root-only
things like reconfiguring network interfaces in repsonse to a CGI script.
I wrote a short program called sudo. Compile it, put it in /usr/local/bin or
wherever and chmod 4555 it. They you can run things like /usr/local/bin/sudo
reboot or whatever.
It's a security hole you could drive a bus through, but it's my system and I'll
do what I like! It also doesn't check for buffer overruns. See previous
sentence.
--CODE
#include <stdio.h>
#include <string.h>
int main (int argc, const char * argv[]) {
// insert code here...
char buf[200];
int i;
// printf("UID %d EUID %d\n", getuid(), geteuid());
if (geteuid() == 0) setuid(0);
if (getegid() == 0) setgid(0);
// printf("UID %d EUID %d\n", getuid(), geteuid());
buf[0] = 0;
for (i = 1; i < argc; i++) {
strcat(buf, argv[i]);
strcat(buf, " ");
}
buf[strlen(buf) - 1] = 0;
if (argc > 1) system(buf);
return 0;
}
--CODE
--- In "Ian" <> wrote:
>
> This is officialy driving me nuts!
>
>
> with the busybox su logged in as nobody:
>
> $ su -c ls nobody
> su: This applet requires root priviledges!
>
> So - I can only do su -c as root. Ok I thought - I'll detect whose running
> the /etc/init.d script. Unfortunately - when a process is started via init -
> $USER is empty (no shell, no environment I guess)
>
> Also unfortunately - when apache cgi shell script runs /etc/init.d script -
> $USER is also empty.
>
> Still stuck with my original proplem ...
>
>
> --- In "Ian" <colecian@> wrote:
> >
> > Hi Jim,
> >
> > excellent advice. su is indeed present.
> >
> > I had to change /etc/passwd to give 'nobody' a shell.
> >
> > then
> >
> > su - c "some command" nobody
> >
> > worked. And the web interface stops it ok.
> >
> > Thanks for your help.
> >
> > Ian
> >
> > --- In Jim Jackson <jj@> wrote:
> > >
> > >
> > >
> > >
> > > On Wed, 24 Feb 2010, Ian wrote:
> > >
> > > > Hi,
> > > >
> > > > I have an app that's started via /etc/init.d on tsLinux from the
> > > > embedded
> > > > flash
> > > >
> > > > I also have a web interface to start/stop this process. But after a
> > > > reboot the apache 'nobody' user can't kill the process as its been
> > > > started by root.
> > > >
> > > > once stopped by root. the web interface works as expected.
> > > >
> > > > I thought about putting sudo onto the tsLinux but it looks a bit heavy
> > > > resource wise - and my initial hacks left it failing to do a reverse
> > > > lookup and with pam broken.
> > >
> > > Isn't "su" on the TSlinux image? Make your init.d script use this to
> > > start
> > > you app running as user nobobdy and then your apache app will be able to
> > > kill it.
> > >
> > > >
> > > > Does anyone have a solution to this?
> > > >
> > > > Thanks,
> > > >
> > > > Ian
> > > >
> > > >
> > >
> >
>
------------------------------------
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/ts-7000/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/ts-7000/join
(Yahoo! ID required)
<*> To change settings via email:
<*> To unsubscribe from this group, send an email to:
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
|