具有root权限从Perl CGI程序运行脚本 [英] Running scripts from Perl CGI programs with root permissions
问题描述
我有一个Perl CGI,它应该允许用户从文件系统中选择一些文件,然后通过Rsync将它们发送到远程服务器。所有的HTML都是由Perl脚本生成的,我使用查询字符串和临时文件来说明有状态事务。 Rsync部分是一个单独的shell脚本,它以文件名作为参数来调用(该脚本还发送电子邮件和许多其他内容,这就是为什么我不只是将其移至Perl脚本中的原因)。我想使用不带密码的sudo,我设置了sudoers来允许apache用户在不带密码的情况下运行脚本,并禁用了requiretty,但是我仍然在日志中看到关于tty的错误。然后,我尝试使用su -c脚本名,但这也失败了。
I have a Perl CGI that is supposed to allow a user to select some files from a filesystem, and then send them via Rsync to a remote server. All of the HTML is generated by the Perl script, and I am using query strings and temp files to give the illusion of a stateful transaction. The Rsync part is a separate shell script that is called with the filename as an argument (the script also sends emails and a bunch of other stuff which is why I haven't just moved it into the Perl script). I wanted to use sudo without a password, and I setup sudoers to allow the apache user to run the script without a password and disabled requiretty, but I still get errors in the log about no tty. I tried then using su -c scriptname, but that is failing as well.
TD; DR 使用Perl CGI是一种糟糕的做法吗?脚本以通过sudo调用Bash脚本,以及如何处理Perl CGI脚本的权限提升?在Linux 2.6内核上的Perl 5.10。
TD;DR Is it awful practice to use a Perl CGI script to call a Bash script via sudo, and how are you handling privilege escalation for Perl CGI scripts? Perl 5.10 on Linux 2.6 Kernel.
相关代码:(LFILE是一个文件,其中包含文件系统中所有文件的数组的索引)
Relevant Code: (LFILE is a file containing the indexes for the array of all files in the filesystem)
elsif ( $ENV{QUERY_STRING} =~ 'yes' ) {
my @CMDLINE = qw(/bin/su -c /bin/scriptname.sh);
print $q->start_html;
open('TFILE', '<', "/tmp/LFILE");
print'<ul>';
foreach(<TFILE>) {
$FILES[$_] =~ s/\/.*\///g;
print "Running command @CMDLINE $FILES[$_]";
print $q->h1("Sending File: $FILES[$_]") ; `@CMDLINE $FILES[$_]` or print $q->h1("Problem: $?);
推荐答案
无论如何最终要这样做,都必须要小心,要最大程度地降低特权升级攻击。请记住这一点……。
However you end up doing this, you have to be careful. You want to minimise the chance of a privilege escalation attack. Bearing that in mind….
sudo 并不是用户(或进程)执行具有更高特权的代码的唯一方法,对于这种类型的应用程序,我将使用带有 setuid位设置。
sudo is not the only way that a user (or process) can execute code with increased privileges. For this sort of application, I would make use of a program with the setuid bit set.
-
编写一个程序,可以由具有适当权限的用户(在本例中为root,但请参见以下警告)运行,以执行要求该特权的操作(这可能是您已经拥有的脚本,并且请参阅问题中的内容。)使该程序尽可能简单,并花一些时间确保其编写正确。
Write a program which can be run by an appropriately-privileged user (root, in this case, although see the warning below) to carry out the actions which require that privilege. (This may be the script you already have, and refer to in the question.) Make this program as simple as possible, and spend some time making sure it is well-written and appropriately secure.
通过执行以下操作在程序上设置 setuid位:
Set the "setuid bit" on the program by doing something like:
chmod a+x,u+s transfer_file
任何人都可以执行该程序,但是它以程序的所有者的权限运行,而不仅仅是程序的 user 。
This means that anyone can execute the program, but that it runs with the privileges of the owner of the program, not just the user of the program.
从现有(非特权)CGI脚本调用(特权)传输程序。
Call the (privileged) transfer program from the existing (non-privileged) CGI script.
现在,为了使所需的特权尽可能低,我将强烈避免以root用户身份进行转移。而是创建一个单独的用户,该用户具有执行文件传输所需的特权,但不再需要执行其他操作,并将该用户设为setuid程序的所有者。这样,即使程序可以被利用,利用者也可以使用该用户的特权,而不是root用户的特权。
Now, in order to keep required privileges as low as possible, I would strongly avoid carrying out the transfer as root. Instead, create a separate user who has the necessary privileges to do the file transfer, but no more, and make this user the owner of the setuid program. This way, even if the program is open to being exploited, the exploiter can use this user's privileges, not root's.
在设置某些内容时有一些重要的陷阱像这样。如果遇到问题,请在此网站上再次询问。
There are some important "gotchas" in setting up something like this. If you have trouble, ask again on this site.
这篇关于具有root权限从Perl CGI程序运行脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
