[PHP] Re: php cgi question
Just a quick addition, both the submit/link were very basic, they both
worked like this
$location = "/cgi-bin/getmailtest.cgi";
// $location = "getmail.php";
echo "$location";
print("Click here to test the cgi\n");
print("");
print("press the button to try the cgi as a redirect this way");
print("");
(that was because I was messing round with differing locations of the cgi,
different extensions etc.. made it easier to set the actual cgi as a
variable, thats all)
Eventually if I can get this to work, it will have to accept a variable as
well being passed (the identifier), something like
getmailtest.cgi?id=$identifier
Thanks again
Hope someone can help
David Cook
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] php cgi question
Hi Marco Thanks for the tips, they were what I was thinking was the problem, that even when the php cgi was owned by the correct user, that if it was being called via another web based script, that it would be executed as apache (in this case) rather than the actual owner of the cgiscript (vpopmail/vchkpw), the same ower/group as the target file. I had thought that if I used setuid/gid on the cgi script that it would execute as that user, rather than apache tho. I didnt want to waste even more bandwidth by posting the code and all the other details, I had hoped I had provided enough for some educated guesses which may have led me to a solution, or what details to provide to help in a solution As I said, this was the first time I had attempted this precise situation (that of executing a script as another user other than the web server), I cant change the permissions on the getmailrc file, or the getmail program wont read it, a bit of a catch 22 :( it seems. > Without seeing your code... only one guess: what are the permissions on > the file like? The actual php cgi??? its [root@alpha cgi-bin]# ls -lA get* -rwxrwxr-x1 root root 6107 Oct 13 00:44 getmailtest.cgi but I have messed with it, trying different combos including vpopmail:vchkpw (the target file owner) all set as world executable the permissions on the getmailrc file (the target file) are in my original post but to show it again, it is -rw-r--r--1 vpopmail vchkpw585 Sep 29 07:16 getmailrc > When you're running the script from the web server, > you're running it as the user under which the web server is running > (usually nobody or apache if you're using Apache on Linux), and this > causes problem if that particular user doesn't have access to the file. which is why I thought (stressing thought.. like I said.. Ive never tried this approach before) that the setuid/gid may have been the solution, although testing did appear to indicate that it was executed as the web server user when it is accessed via a click or button from the web, ignoring the setuid etc...Like I was saying I may be trying somethign that is really tough, but basically I wanted to partition out the part of the process that may have security implications, and just pass a single variable to it, executing it on demand, rather than via cron (though it does work via cron.. its not the best solution in my case.. but may be one I have to look at) > > There are very few solutions to this problem (at least as far as I > know). One is the suexec module for Apache, that lets you impersonate > root or another user, but you have to be *extremely* careful with the > permissions. The other is to change the default permissions of the file > so that everyone can delete and modify it, but that might not work well > for your needs. Yet a third one would be to impersonate directly from > PHP, for example through a call to su, but there are pitfalls there as > well. Even though I would reallyyy prefer NOT to go anywhere near su (cause security is my primary focus in splitting out any file system writes to a separate process) how would using su help out??? I havent done that either so far (have never run into a situation like this before) Thanks again for the reply... I will keep working on it.. and post back if I get any further Regards David Cook -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] php cgi question
Hi all, Got a question regarding using php scripts as cgi's. What I am trying to do is this. (ya may need a bit of background, it gets a little complicated... well for me its complicated) Im building a web based email system using php (duh) as the front end and glue for everything, part of it is using a program called getmail to retreive remote pop accounts to the virtual accounts on the server (its all virtual using qmail/vpopmail and courier-imap). The various setttings for this are in a file called getmailrc, in the virtual users home dir, (this will also be theoretically relevant when I try and do the same thing with a server side filtering program called maildrop.. but one at a time I reckon :)) ie. /home/vpopmail/domains/some.email.domain/someuser/.getmail/getmailrc This file is owned specifically by a user/group otherwise getmail wont work ie: -rw-r--r--1 vpopmail vchkpw585 Sep 29 07:16 getmailrc any permissions other than this will tweak getmails internal security and stop it. I decided to minimise security problems and use mysql as an intermidiary storage for any rules created for getmail, which works fine. :) (yay me.. lol) NOW comes the problem, I need to write (overwrite) that getmailrc file after the user has finished messing with their settings, to do this I decided that since the file can only be read/written to by the vpopmail/vchkpw user/group, that I would knock up a php script to run as a cgi, that would do only one thing: Upon a button being pressed to 'finish edit' the new rules would be written to the mysql table, then the cgi would be invoked with a particular identifier so that it could then look up the mysql table (using that identifier so it gets the right rows), and following some rules inbuilt, write out the getmailrc file with that restrictive permissions set. I wrote up a script that was just for POC, that would get the data for where that file was supposed to be (the /home/vpopmail/etc...etc) and read it, then break out the various details and display it, basically just showing me what was already in the file. (using the shebang method, as my php cgi interpreter is OUTSIDE the web tree, but thats another story of getting the damn thing to work at all... damn RPM'S sometimes... that --enable-force-redirect had me stuck for a few days) When I tested it out from the shell, using ./getmailtest.cgi as root, it worked, in that it did what it was sposed to.. display the contents of the getmailrc file. This cgi php script is owned by vpopmail/vchkpw which should allow reading the file as said above Great, thought I, and proceeded to attempt linking to it from within the editing script, using both an attempt with a 'submit' button and a click through link. Now comes the prob, it fails, with an error of being unable to either open the file, or that the file doesnt exist (depending on what I fiddle with in the script). Would anyone have any ideas as to what may be going wrong here? I havent tried doing this before, using php as a cgi to do stuff to files on the system, so I am at quite a loss, and any help would be appreciated. Regards David Cook -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: php cgi question
Hi again all Just a bit more info, trying to track some more things down. I made a few changes, changed getmail so that it would allow the getmailrc file to be group writable, made a few changes to the user/group structure (including making apache a member of a specific new group, and then setting that group read/write on the getmailrc file (in theory now, apache should have read/write permissions to the file via the group), and did a bit more testing. Results, Executing the cgi script from command line still works (in that it displays results, whereas from the web the cgi STIL says that the file doesnt exist (this is via a quick if(file_exists($getmailfile)) etc.. etc..(least I didnt break anything else) :) I find this interesting, as the file definately DOES exist, and further, theoretically the web server should have access via the group permissions. I was a little curious if this may be a bahaviour of the apache php module, in that it is incapable of working with files outside docroot? this should not be the case though, as with a number of the other modules I am using, and have written, files get written to temp (while they are being uploaded) and other files are written outside docroot for other purposes, without any real problems so far, this is getting curiouser and curiouser as Alice said Any suggestions or thoughts anyone? Puzzled. David Cook -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php cgi question
hmmm safe mode is disabled - for the apache module version from phpinfo() safe_mode Off Off > Just out of curiosity--have you tried su-ing to the Apache user and > executing your script as that user? yep, same result (although I had to change the apache user for a few minutes so it had a shell.. lol) as if I ran it off the web (file does not exist), this still seems to tie into permissions perhaps, but I am having trouble nailing enough data down so far to point to specifics. I didnt make this server from scratch, it came pre-installed with a lot of the items on it as part of a co-lo deal, the next few I build however will be from the ground up even if it takes longer... and probably without using RPM's for a lot of it... I've learned a fair bit the last 9 months or so about the shortcomings as well as the benefits of using RPM's. Thanks again for the thoughts, will test out some more stuff (this is just plain getting me determined to work it out... stubborn I spose) Regards David -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php cgi question
Okies, FINALLY I think I have the reason (though not the solution as yet) Marco, you were spot on, which I hadn't pursued properly, only looking at the immediate parent directory permissions. In fact the whole ~vpopmail structure down to the individual users directory has a VERY restrictive set of permissions only the owner (vpopmail) can list read and write to any of the directories leading down to the ~vpopmail/domains/some.email.domain/some.user/ etc.. etc... no group permissions at ALL. I have asked on the vpopmail list what the effect may be of re-setting group list access (at least) to the structure may be as I dont want to break anything on a running server... lol... so yep.. permissions it was indeed (apparantly anyways), I reckon this is a proven case now, just got to work out the solution as I can't setuid for a web enabled cgi to the vpopmail user without getting stuck in suEXEC etc... I dont know why the heck I hadnt tried just cat'ing the file.. lack of sleep perhaps.. lol Will let you know how it goes (if you are interested) Regards, and thanks for all the help David Cook "Marco Tabini" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Ok, that's a big step forward then. It's possible that your user does > not have access to the directory tree where the file resides? Have you > tried listing that directory and or opening the file (for example with > cat) while using that file? If you can narrow it down to a permission > problem (and, at this point, I think that's exactly where the problem > is), that it should just be a matter of trying a few things out. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: php cgi question - solved
Well I sorted out the permissions on that directory structure, and the web based cgi performed as the command line one did, I havent had too long to find out if any weird things are going to start happening with the mail apps, but I'm hopeful that this was the solution... Thanks for all the help Marco (even if it did end up being a umm bit O/T as far as php went... sorry :( Regards David Cook "David Cook" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all, > > Got a question regarding using php scripts as cgi's. > > What I am trying to do is this. (ya may need a bit of background, it gets a > little complicated... well for me its complicated) > > Im building a web based email system using php (duh) as the front end and > glue for everything, part of it is using a program called getmail to > retreive remote pop accounts to the virtual accounts on the server (its all > virtual using qmail/vpopmail and courier-imap). The various setttings for > this are in a file called getmailrc, in the virtual users home dir, (this > will also be theoretically relevant when I try and do the same thing with a > server side filtering program called maildrop.. but one at a time I reckon > :)) > > ie. /home/vpopmail/domains/some.email.domain/someuser/.getmail/getmailrc > > This file is owned specifically by a user/group otherwise getmail wont work > > ie: -rw-r--r--1 vpopmail vchkpw585 Sep 29 07:16 getmailrc > > any permissions other than this will tweak getmails internal security and > stop it. > > I decided to minimise security problems and use mysql as an intermidiary > storage for any rules created for getmail, which works fine. :) (yay me.. > lol) > > NOW comes the problem, I need to write (overwrite) that getmailrc file after > the user has finished messing with their settings, to do this I decided that > since the file can only be read/written to by the vpopmail/vchkpw > user/group, that I would knock up a php script to run as a cgi, that would > do only one thing: Upon a button being pressed to 'finish edit' the new > rules would be written to the mysql table, then the cgi would be invoked > with a particular identifier so that it could then look up the mysql table > (using that identifier so it gets the right rows), and following some rules > inbuilt, write out the getmailrc file with that restrictive permissions set. > > I wrote up a script that was just for POC, that would get the data for where > that file was supposed to be (the /home/vpopmail/etc...etc) and read it, > then break out the various details and display it, basically just showing me > what was already in the file. (using the shebang method, as my php cgi > interpreter is OUTSIDE the web tree, but thats another story of getting the > damn thing to work at all... damn RPM'S sometimes... > that --enable-force-redirect had me stuck for a few days) > > When I tested it out from the shell, using ./getmailtest.cgi as root, it > worked, in that it did what it was sposed to.. display the contents of the > getmailrc file. This cgi php script is owned by vpopmail/vchkpw which should > allow reading the file as said above > > Great, thought I, and proceeded to attempt linking to it from within the > editing script, using both an attempt with a 'submit' button and a click > through link. > > Now comes the prob, it fails, with an error of being unable to either open > the file, or that the file doesnt exist (depending on what I fiddle with in > the script). > > Would anyone have any ideas as to what may be going wrong here? I havent > tried doing this before, using php as a cgi to do stuff to files on the > system, so I am at quite a loss, and any help would be appreciated. > > Regards > > David Cook > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
