Re: cgi-bin scripts for ppp dial-up

To: Debian user list <debian-user@lists.debian.org>
Subject: Re: cgi-bin scripts for ppp dial-up
From: Stephen Carpenter <sjc@localhost.debian.org>
Date: Fri, 5 Jun 1998 08:14:15 -0500
Message-id: <[🔎] 19980605081415.A10612@localhost>
Mail-followup-to: Debian user list <debian-user@lists.debian.org>
In-reply-to: <[🔎] 19980605103709.A17386@hairnet.demon.co.uk>; from Edward Betts on Fri, Jun 05, 1998 at 10:37:09AM +0100
References: <[🔎] 19980605103709.A17386@hairnet.demon.co.uk>

On Fri, Jun 05, 1998 at 10:37:09AM +0100, Edward Betts wrote:
> hi, I wonder whether any body can help. i am trying to get my system (halve
> bo, halve hamm) to dial-up the internet. yes it works, but only by running
> pon as root. i want to have a cgi-script so that all my users on win95 boxes
> can dial-up (this box does ip masq). how?

There are many ways to do this... [read on]

> i have the scrips, basically they say connecting, and run pon. no joy, pon
> can not find pppd cause it is in /usr/sbin/ and they are running with a uid
> and gid of www-data. the scripts are owned by root.root so i make them
> setuid, no joy there say error.

a script can NOT be made suid, only binary executables can be made suid.
This is actually a security thing... suid scripts are generally a
security hole and much easier to exploit than most errors in compiled
binaries. It is for this reason that the ability to make scripts
suid is not included...and has not been available for as long as
I have been using linux...probably much longer.

> i tried adding www-data to the dip and dialout groups, again
> no joy :-( i changed the line in the cgi to /usr/sbin/pppd and it found pppd
> but pppd did not have read access to /etc/ppp/peers/provide because it was
> running as www-data. what is the correct way of doing this?

Ok there are a few workarounds here....all depending on how worried you are
about security and esp about your own users.

A) you can make pppd suid root (or sgid dip i would guess).
(not a nice option)

B) try this....
install sudo ...edit the /etc/sudoers file to allow www-data group to run 
pon as root (or as group dip). Then edit your cgi to use sudo to run
it (btw you will need to allow this with no password)
[read the docs on sudo]

As long as you are not worried about your own users trying too hard to subvert 
security, that should work. The main problem would be if THEY could write 
their own CGIs and use them...then they could write a cgi that uses sudo
to run pppd...of course...then they need to be able to do something with that
(they need some way to exploit that ability)

on the whole this solution should work... there are of course other ways...
this is just what I can think of off the top of my head...

NB: be carefull...it is very easy to make a mistake editing sudoers.
just last night I made my girlfriend an sudoer to let her run pppd
so she can connect to my isp and use it....I accidently did it wrong
and gave her full acess with no password to any command
(I didn't fix it tho cuz I am not worried about her having that acess through 
sudo..._)

-Steve
PS what i sthe cgi written in? is it perl? have you thought of suidperl?

--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- cgi-bin scripts for ppp dial-up
  - From: Edward Betts <edward@hairnet.demon.co.uk>

Prev by Date: JDK 1.1: rmiregistry
Next by Date: Virtual terminals
Previous by thread: cgi-bin scripts for ppp dial-up
Next by thread: Re: cgi-bin scripts for ppp dial-up
Index(es):
- Date
- Thread