NYCPHP Meetup

NYPHP.org

[nycphp-talk] SSH2_CONNECT

Michele Waldman mmwaldman at nyc.rr.com
Fri Jul 31 20:49:37 EDT 2009


Thank you.

Michele

> -----Original Message-----
> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
> On Behalf Of CED
> Sent: Friday, July 31, 2009 8:39 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] SSH2_CONNECT
> 
> 
> I'll take the bait...
> 
> No, you most certainly shouldn't do this at all. Adjusting the defaults
> to sudoers is a big no no.
> 
> Whatever it is you are doing, the need to become root is far different
> than Ken's example of becoming Ken.
> 
> The reason that you can't make this work properly has everything to do
> with 'REAL' tty sessions, which you aren't going to have.
> 
> Root cannot be allowed to be running around without a properly bound
> TTY; for various Auditing reasons.
> 
> However, in the spirit of this list:
> 
> Defaults:root !requiretty
> Defaults:nobody !requiretty
> 
> Play VERY carefully.
> 
> -Ed
> 
> 
> Kenneth Dombrowski wrote:
> > On 09-07-30 17:05 -0400, Ajai Khattri wrote:
> >
> >> Most probably your PHP script will be running under the same username
> as
> >> Apache (i.e. www or nobody) so sudo wouldn't work anyway. (And you
> >> wouldn't want to give www or nobody sudo privilege anyway!).
> >>
> >
> > All this talk about sudo not working made me curious -- why shouldn't it
> > work?  It will, and a well configured sudo offers a very fine level of
> > control -- though whether one wants to do it is another question
> >
> > # visudo
> > Defaults:www-data       !lecture
> > Defaults:www-data       !authenticate
> > www-data ALL = (kenneth) /usr/bin/touch /tmp/sudoer.apache
> >
> > The first two lines get rid of sudo's usual prompts, since it will never
> > run interactively, & the last specifies a single command + argument
> > www-data is allowed to run as kenneth (you can use shell-style globs)
> >
> > # sudo.php
> > <?php
> > header('Content-type: text/plain');
> > $f = '/tmp/sudoer.apache';
> > system("sudo -u kenneth /usr/bin/touch $f");
> > print "\n$f exists? " . (bool) file_exists($f);
> >
> > kenneth at gilgamesh:~$ elinks --dump http://localhost/tmp/sudo.php
> >    /tmp/sudoer.apache exists? 1
> > kenneth at gilgamesh:~$ ls -l /tmp/sudoer.apache
> > -rw-r--r-- 1 kenneth kenneth 0 2009-07-30 19:52 /tmp/sudoer.apache
> >
> > So on debian, www-data successfully created a file as kenneth.  On
> FreeBSD
> > I think www/nobody/whatever has a /bin/false shell, so there it won't
> > work.  Of course, you shouldn't do it on shared hosts, and I'm sure
> > somebody will tell me you shouldn't do it at all, but its not due to a
> > technical limitation
> >
> >
> > _______________________________________________
> > New York PHP User Group Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
> >
> > http://www.nyphp.org/show_participation.php
> >
> >
> >
> >
> 
> 
> --
> <img src="http://covenantedesign.com/logo.jpg" border ="0">
> 995 Maple Hill Road
> Castleton, New York 12033
> 518-331-5061
> Consult at CovenanteDesign.com
> 
> 
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> http://www.nyphp.org/show_participation.php




More information about the talk mailing list