Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > 'nobody' using sudo -- scary!

Reply
Thread Tools

'nobody' using sudo -- scary!

 
 
Johnny
Guest
Posts: n/a
 
      06-26-2008
Hi,

My perl script runs as 'nobody' but it needs to execute some commands
with more privilege (rm /home/username/.forward). I see a lot of
talk about sudo for this type of circumstance ...is that really the
best choice? I've gotten the username/password of the account that
has permission to do what I'd like to do - maybe that's somehow
useful? Making the users home directory world writable seems to
break sendmail, so I don't want to fuss with that. Running perl
scripts as root must be the worst possible choice. Are there any
other methods worth considering? Is allowing 'nobody' to execute
commands as root an excepted practice?

Thanks in advance,
SuchaNewb
 
Reply With Quote
 
 
 
 
Hans Bulvai
Guest
Posts: n/a
 
      06-26-2008
On Thu, 26 Jun 2008 07:47:19 -0700, Johnny wrote:
> Hi,
>
> My perl script runs as 'nobody' but it needs to execute some commands
> with more privilege (rm /home/username/.forward). I see a lot of talk
> about sudo for this type of circumstance ...is that really the best
> choice? I've gotten the username/password of the account that has
> permission to do what I'd like to do - maybe that's somehow useful?
> Making the users home directory world writable seems to break sendmail,
> so I don't want to fuss with that. Running perl scripts as root must
> be the worst possible choice. Are there any other methods worth
> considering? Is allowing 'nobody' to execute commands as root an
> excepted practice?
>
> Thanks in advance,
> SuchaNewb


DO NOT:
1) give 'nobody' any rights, especially not sudo rights.
2) make users homedirs world writeable.
3) run it as root.

create a new user, give it the necessary perms (whether sudo, or
otherwise) and run it as that user. Above, (1) and (2) are the worst
choices you could possibly do. Even (3) is less dangerous than them.



 
Reply With Quote
 
 
 
 
Jens Thoms Toerring
Guest
Posts: n/a
 
      06-26-2008
Johnny <(E-Mail Removed)> wrote:
> My perl script runs as 'nobody' but it needs to execute some commands
> with more privilege (rm /home/username/.forward). I see a lot of
> talk about sudo for this type of circumstance ...is that really the
> best choice? I've gotten the username/password of the account that
> has permission to do what I'd like to do - maybe that's somehow
> useful? Making the users home directory world writable seems to
> break sendmail, so I don't want to fuss with that. Running perl
> scripts as root must be the worst possible choice. Are there any
> other methods worth considering? Is allowing 'nobody' to execute
> commands as root an excepted practice?


I guess this would be better suited for e.g. comp.unix.questions
or maybe comp.os.linux.misc. I guess the worst "solution" would
be to make the users directories world writable. That's simply
stupidness. What I don't see is why a Perl script running as
root when doing root tasks would be bad (especially since Perl
is regarded as the "Swiss army knife" of system admins). It just
might a bit too much effort when a simple shell script line like

for i in `ls -a /home/*/.forward`; do rm $i; done

would do nicely. But then I also don't see why you would want to
delete users .forward files - if you have a really good reason to
do so at least rename them to something else instead of deleting
them completely.
Regards, Jens
--
\ Jens Thoms Toerring ___ http://www.velocityreviews.com/forums/(E-Mail Removed)
\__________________________ http://toerring.de
 
Reply With Quote
 
RedGrittyBrick
Guest
Posts: n/a
 
      06-26-2008
Jens Thoms Toerring wrote:
>
> for i in `ls -a /home/*/.forward`; do rm $i; done
>


Isn't that the same as
rm home/*/.forward


I'd use the -i option.

--
RGB
 
Reply With Quote
 
Jens Thoms Toerring
Guest
Posts: n/a
 
      06-26-2008
RedGrittyBrick <(E-Mail Removed)> wrote:
> Jens Thoms Toerring wrote:
> >
> > for i in `ls -a /home/*/.forward`; do rm $i; done


> Isn't that the same as
> rm home/*/.forward


Right I also was looking for too complicated a way.

> I'd use the -i option.


Unless you want to run it in a script...

Regards, Jens
--
\ Jens Thoms Toerring ___ (E-Mail Removed)
\__________________________ http://toerring.de
 
Reply With Quote
 
Johnny
Guest
Posts: n/a
 
      06-26-2008
On Jun 26, 9:41 am, (E-Mail Removed) (Jens Thoms Toerring) wrote:
> Johnny <(E-Mail Removed)> wrote:
> > My perl script runs as 'nobody' but it needs to execute some commands
> > with more privilege (rm /home/username/.forward). I see a lot of
> > talk about sudo for this type of circumstance ...is that really the
> > best choice? I've gotten the username/password of the account that
> > has permission to do what I'd like to do - maybe that's somehow
> > useful? Making the users home directory world writable seems to
> > break sendmail, so I don't want to fuss with that. Running perl
> > scripts as root must be the worst possible choice. Are there any
> > other methods worth considering? Is allowing 'nobody' to execute
> > commands as root an excepted practice?

>
> I guess this would be better suited for e.g. comp.unix.questions
> or maybe comp.os.linux.misc. I guess the worst "solution" would
> be to make the users directories world writable. That's simply
> stupidness. What I don't see is why a Perl script running as
> root when doing root tasks would be bad (especially since Perl
> is regarded as the "Swiss army knife" of system admins). It just
> might a bit too much effort when a simple shell script line like
>
> for i in `ls -a /home/*/.forward`; do rm $i; done
>
> would do nicely. But then I also don't see why you would want to
> delete users .forward files - if you have a really good reason to
> do so at least rename them to something else instead of deleting
> them completely.
> Regards, Jens
> --
> \ Jens Thoms Toerring ___ (E-Mail Removed)
> \__________________________ http://toerring.de



Thanks for the comments. My post wasn't as clear as it should have
been. I was trying avoid irrelevant details (but failed). The more
complete story is that I've taken over for a consultant that built a
perl based website. All users supply a username and password.
There's a page that allows users to edit their vacation message and
toggle their away/back status. That part is broken because of the
permissions issue. Currently the code attempts to set the away
message by:

system "/usr/bin/vacation -i";
system "cp -p /home/$remoteuser/vacation.forward /home/$remoteuser/
\.forward";

or to turn off the vacation message:
system "/usr/bin/vacation -i";
system "rm /home/$remoteuser/\.forward";

I haven't done web development before and made the assumption that I'd
have many more cases where 'nobody' wouldn't be sufficient. Based on
that assumption I looked for a method I could use to solve this
problem and again in the future. I confused matters by listing
alternate solutions to this particular problem. I found a lot of
talk about the sudo solution and that left me thinking, "... really?
That can't be the best idea." So then I posted, in a unclear
manner. Here's a second attempt at my question if you still feel
like playing.

Given a perl based web application, running as 'nobody' with a need to
execute some privileged command, what approach is recommended?







 
Reply With Quote
 
Ben Morrow
Guest
Posts: n/a
 
      06-26-2008

Quoth Johnny <(E-Mail Removed)>:
>
> Given a perl based web application, running as 'nobody' with a need to
> execute some privileged command, what approach is recommended?


Stick the details of what to do in a file somewhere, and run a program
out of root's crontab to check the list and perform the commands.
*Obviously* you will need extremely careful checking of the contents of
that list; you will want to write the root command in Perl, and use
taint mode.

Ben

--
Razors pain you / Rivers are damp
Acids stain you / And drugs cause cramp. [Dorothy Parker]
Guns aren't lawful / Nooses give
Gas smells awful / You might as well live. (E-Mail Removed)
 
Reply With Quote
 
RedGrittyBrick
Guest
Posts: n/a
 
      06-27-2008
Ben Morrow wrote:
> Quoth Johnny <(E-Mail Removed)>:
>> Given a perl based web application, running as 'nobody' with a need to
>> execute some privileged command, what approach is recommended?

>
> Stick the details of what to do in a file somewhere, and run a program
> out of root's crontab to check the list and perform the commands.
> *Obviously* you will need extremely careful checking of the contents of
> that list; you will want to write the root command in Perl, and use
> taint mode.
>


That is a nice solution.

A further refinement might be to create a FIFO instead of a file. and
have a root daemon reading the FIFO. That way there'd be no lag between
requesting the change and the change being performed.

man mkfifo

The daemon could be a Perl script started in the usual way at boot-time
(rc files etc).

Ben is right about the need to very very carefully check and sanitise
the input. I'd consider some sort of throttling to ameliorate any DOS
attacks.

--
RGB
 
Reply With Quote
 
Ted Zlatanov
Guest
Posts: n/a
 
      06-27-2008
On Thu, 26 Jun 2008 17:41:02 +0100 RedGrittyBrick <(E-Mail Removed)> wrote:

R> Jens Thoms Toerring wrote:
>>
>> for i in `ls -a /home/*/.forward`; do rm $i; done
>>


R> Isn't that the same as
R> rm home/*/.forward

Thay are both bad solutions when there are enough users to run over the
command line limits. Perl would actually be a decent choice here,
unless you're sure you trust `find' to do the right thing. I would
never remove files from a user directory with any kind of automated
script, personally.

cfengine has specific facilities to do this, and would be my first
recommendation if it's an option. One of the big benefits in this case
is that the policy can be set by the administrator:

'remove $(home)/.forward' (in the cfengine syntax this looks slightly different)

but a cfengine run can actually be triggered by less-privileged users,
even remotely. See http://cfengine.org for further details.

Ted
 
Reply With Quote
 
nntpman68
Guest
Posts: n/a
 
      06-28-2008
This raises an intersting pint )for me at least)

I'm not that used to perl globs:


let's assume I work in a setup where /home/*/.forward expands to > 15000
files.


What would happen if I use follwing statement in perl"


foreach my $file (</home/*/.forward>){
do_something($file);
}

would perl
- iterate through the files
- or would perl first create a list of all the files and then
iterate through them.
- or would it hit a linit and not provide all hits.
- or does it depend on the system perl is running on
?

Just being curious?



Big and Blue wrote:
> RedGrittyBrick wrote:
>> Jens Thoms Toerring wrote:
>>>
>>> for i in `ls -a /home/*/.forward`; do rm $i; done

> . . .
>
> Neither of which would necessarily work if /home were an automount
> point, as "*" won't expand (and if it did, could have > 15000 matches in
> at least one case I know of, which is why you wouldn't want it to expand).
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
using gems installed via 'sudo gem install' Piotr S. Ruby 14 01-21-2011 09:21 PM
using net::ssh shell to sudo to another user and execute commands wbsurfver@yahoo.com Ruby 8 09-12-2008 10:02 AM
Re: 'nobody' using sudo -- scary! Elmeri Computer Security 0 06-28-2008 11:56 AM
Using pexpect with 'sudo' dwelch91@gmail.com Python 0 10-17-2006 07:32 PM
Running Python Scripts With 'sudo' Tim Daneliuk Python 2 03-02-2005 09:15 PM



Advertisments