Post by thread:[OT]: Linux Help

Was wondering if someone here would be able to help me with something. I have a script on a linux machine that runs a program that accesses the parallel port. It seems that I can only access the port as root. The problem is I'd like to run the script as apache (in the cgi-bin). I've tried setuid but that fails. Anyone know how I might open up hardware access to user apache? Or how to get apache to run the script AS root? Thanks, TTYL -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

On Fri, 2004-01-09 at 15:37, Herbert Graf wrote: > Was wondering if someone here would be able to help me with something. > > I have a script on a linux machine that runs a program that accesses the > parallel port. It seems that I can only access the port as root. The problem > is I'd like to run the script as apache (in the cgi-bin). > > I've tried setuid but that fails. Anyone know how I might open up hardware > access to user apache? Or how to get apache to run the script AS root? > > Thanks, TTYL Use sudo. Edit /etc/sudoers and include something like this; apache ALL = NOPASSWD: <full path to script including options> Read the man page for sudoers. The decode goes something liek this, apache The user to whom this entry aplies ALL The machines on which the user may run the command NOPASSWD: Do not require the user to enter their password <...> The command the user may run as root HTH Rob -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

{Quote hidden}> On Fri, 2004-01-09 at 15:37, Herbert Graf wrote: > > Was wondering if someone here would be able to help me with something. > > > > I have a script on a linux machine that runs a program that accesses the > > parallel port. It seems that I can only access the port as > root. The problem > > is I'd like to run the script as apache (in the cgi-bin). > > > > I've tried setuid but that fails. Anyone know how I might open > up hardware > > access to user apache? Or how to get apache to run the script AS root? > > > > Thanks, TTYL > > Use sudo. Edit /etc/sudoers and include something like this; > > apache ALL = NOPASSWD: <full path to script including options> > > Read the man page for sudoers. The decode goes something liek this, > > apache The user to whom this entry aplies > ALL The machines on which the user may run the command > NOPASSWD: Do not require the user to enter their password > <...> The command the user may run as root I looked into sudo, it doesn't appear to be an option, unless you can think of a way to have apache use it when calling a script? I want to access a URL that calls the script, the script returns image data. Thanks, TTYL ---------------------------------- Herbert's PIC Stuff: http://repatch.dyndns.org:8383/pic_stuff/ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

On Fri, 2004-01-09 at 18:35, Herbert Graf wrote: {Quote hidden}> > On Fri, 2004-01-09 at 15:37, Herbert Graf wrote: > > > Was wondering if someone here would be able to help me with something. > > > > > > I have a script on a linux machine that runs a program that accesses the > > > parallel port. It seems that I can only access the port as > > root. The problem > > > is I'd like to run the script as apache (in the cgi-bin). > > > > > > I've tried setuid but that fails. Anyone know how I might open > > up hardware > > > access to user apache? Or how to get apache to run the script AS root? > > > > > > Thanks, TTYL > > > > Use sudo. Edit /etc/sudoers and include something like this; > > > > apache ALL = NOPASSWD: <full path to script including options> > > > > Read the man page for sudoers. The decode goes something liek this, > > > > apache The user to whom this entry aplies > > ALL The machines on which the user may run the command > > NOPASSWD: Do not require the user to enter their password > > <...> The command the user may run as root > > I looked into sudo, it doesn't appear to be an option, unless you can think > of a way to have apache use it when calling a script? I want to access a URL > that calls the script, the script returns image data. Thanks, TTYL Running anything as root is always a bit dicey if you ask me. I'll have a sift around and see what surfaces. Rob -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

On Thu, 8 Jan 2004 21:37:14 -0500 Herbert Graf <spam_OUThgrafTakeThisOuTEMAIL.COM> wrote: > Was wondering if someone here would be able to help me with something. > > I have a script on a linux machine that runs a program that accesses the > parallel port. It seems that I can only access the port as root. The problem > is I'd like to run the script as apache (in the cgi-bin). > > I've tried setuid but that fails. Anyone know how I might open up hardware > access to user apache? Or how to get apache to run the script AS root? Are you sure the script will run without accessing the port? Have you tried commenting out that part and running the script as apache (or whatever uid apache is running as?) Also, if your script runs with a gid the same as /dev/lp* and the mode for /dev/lp* is 660 or better it should work. david -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

What is the device that's hooked up to the parallel port? If it is custom hardware then I guess the right way would be to write a kernel mode driver for it and access it from /dev. You mentioned something about image data. Is it a camera hooked up to the parallel port? Why not have the camera image saved some place on disk and have your script return the image file? Sorry if these are lame suggestions. I haven't touched Linux in a few years now. Have a look at comp.os.linux and comp.os.linux.hardware. This question used to popup there frequently. There is also a mini-HOWTO on IO port access in Linux that may be helpful to you. Shahid {Original Message removed}

On Thursday, Jan 8, 2004, at 21:42 US/Pacific, Rob Stockley wrote: > On Fri, 2004-01-09 at 18:35, Herbert Graf wrote: >>> On Fri, 2004-01-09 at 15:37, Herbert Graf wrote: >>>> Was wondering if someone here would be able to help me with >>>> something. >>>> >>>> I have a script on a linux machine that runs a program that >>>> accesses the >>>> parallel port. It seems that I can only access the port as >>> root. The problem >>>> is I'd like to run the script as apache (in the cgi-bin). >>>> I've heard of a similar problem addressed by simply changing the 'file' protection of /dev/whatever-the-parallel-port-is-called to permit non-root access. Have you tried that? BillW -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

Ok, I'll take a crack at this ... Is the script accessing the parallel port via /dev/lp* or are you running a little binary that does low-level x86 port in/out read/writes? If you are using /dev/lp*, then you can change the permissions to allow anyone to use it: crw-rw---- 1 root lp 6, 0 Apr 11 2002 /dev/lp0 (default on my laptop, redhat 7.2) a "chmod o+rw /dev/lp0" (as root) gives: crw-rw-rw- 1 root lp 6, 0 Apr 11 2002 /dev/lp0 and now anyone can read/write the lp0 port. This may be a security issue; if not, I think this will solve your problem. I went through this with the serial port, which by default users can't open, a hassle since I use it all the time for talking with PICs. If not let me know. I run linux as my desktop but I'm still a realative newbie. Jesse Herbert Graf wrote: {Quote hidden}> Was wondering if someone here would be able to help me with something. > > I have a script on a linux machine that runs a program that accesses the > parallel port. It seems that I can only access the port as root. The problem > is I'd like to run the script as apache (in the cgi-bin). > > I've tried setuid but that fails. Anyone know how I might open up hardware > access to user apache? Or how to get apache to run the script AS root? > > Thanks, TTYL > > -- > http://www.piclist.com hint: The list server can filter out subtopics > (like ads or off topics) for you. See http://www.piclist.com/#topics > > -- "There are 10 kinds of people in the world; those who understand binary and those who don't." -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

> If you are using /dev/lp*, then you can change the permissions to allow > anyone to use it: > > crw-rw---- 1 root lp 6, 0 Apr 11 2002 /dev/lp0 > (default on my laptop, redhat 7.2) > > a "chmod o+rw /dev/lp0" (as root) gives: > crw-rw-rw- 1 root lp 6, 0 Apr 11 2002 /dev/lp0 > > and now anyone can read/write the lp0 port. This may be a security > issue; if not, I think this will solve your problem. If that creates a security issue, you can try chown apache /dev/lp0 That makes Apache own the parallel port, so only Apache (and root) can access it. AFAIK anyway. Greetings, Koen -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

Or you can add the user "apache" to the group "lp". Francisco Koen van Leeuwen wrote: {Quote hidden}>>If you are using /dev/lp*, then you can change the permissions to allow >>anyone to use it: >> >>crw-rw---- 1 root lp 6, 0 Apr 11 2002 /dev/lp0 >>(default on my laptop, redhat 7.2) >> >>a "chmod o+rw /dev/lp0" (as root) gives: >>crw-rw-rw- 1 root lp 6, 0 Apr 11 2002 /dev/lp0 >> >>and now anyone can read/write the lp0 port. This may be a security >>issue; if not, I think this will solve your problem. >> >> > >If that creates a security issue, you can try chown apache /dev/lp0 >That makes Apache own the parallel port, so only Apache (and root) can access >it. > >AFAIK anyway. > >Greetings, >Koen > >-- >http://www.piclist.com hint: The PICList is archived three different >ways. See http://www.piclist.com/#archives for details. > >. > > > -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

On Thu, 8 Jan 2004, Herbert Graf wrote: > I have a script on a linux machine that runs a program that accesses the > parallel port. It seems that I can only access the port as root. The problem > is I'd like to run the script as apache (in the cgi-bin). > > I've tried setuid but that fails. Anyone know how I might open up hardware > access to user apache? Or how to get apache to run the script AS root? Can't you chown the parallel port device? "chown apache:apache /dev/lp0" or something? Cheers, Tim -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

> > I looked into sudo, it doesn't appear to be an option, > unless you can think > > of a way to have apache use it when calling a script? I want to > access a URL > > that calls the script, the script returns image data. Thanks, TTYL > > Running anything as root is always a bit dicey if you ask me. I'll have > a sift around and see what surfaces. Agreed, especially a script apache is running. So if you know how to give access to IO port 0x378 to all users that would also be fine. Thanks, TTYL ---------------------------------- Herbert's PIC Stuff: http://repatch.dyndns.org:8383/pic_stuff/ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

> Are you sure the script will run without accessing the port? > Have you tried commenting out that part and running the script as > apache (or whatever uid apache is running as?) Also, if your > script runs with a gid the same as /dev/lp* and the mode for > /dev/lp* is 660 or better it should work. The script is working fine since apache returns the right content string and if I take out the call the to the program that accesses the port everything works out fine. As for the program, I didn't write it so I don't know how it accesses the port, I believe it is doing it directly (it's not accessing a printer). All I know is if I run the program as root everything is fine, if I run it as apache I get an "access to port=0x378 denied", or something like that. Thanks, TTYL ---------------------------------- Herbert's PIC Stuff: http://repatch.dyndns.org:8383/pic_stuff/ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

> What is the device that's hooked up to the parallel port? If it is > custom hardware then I guess the right way would be to write a kernel > mode driver for it and access it from /dev. It's a parallel port web cam, I didn't write the program, therefore I can't write a device driver. > You mentioned something about image data. Is it a camera hooked up to > the parallel port? Why not have the camera image saved some place on > disk and have your script return the image file? Because it still has to run as root, which is what I'm asking about. ---------------------------------- Herbert's PIC Stuff: http://repatch.dyndns.org:8383/pic_stuff/ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

> >>>> I have a script on a linux machine that runs a program that > >>>> accesses the > >>>> parallel port. It seems that I can only access the port as > >>> root. The problem > >>>> is I'd like to run the script as apache (in the cgi-bin). > >>>> > > I've heard of a similar problem addressed by simply changing the 'file' > protection of /dev/whatever-the-parallel-port-is-called to permit > non-root access. Have you tried that? I changed the access to lp0 (and an entry called parport0) to xwr for all users, still the same problem. I believe this is the case since the program isn't accessing the port through the lp0 mechanism. Thanks, TTYL ---------------------------------- Herbert's PIC Stuff: http://repatch.dyndns.org:8383/pic_stuff/ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

> On Thu, 8 Jan 2004, Herbert Graf wrote: > > I have a script on a linux machine that runs a program that accesses the > > parallel port. It seems that I can only access the port as > root. The problem > > is I'd like to run the script as apache (in the cgi-bin). > > > > I've tried setuid but that fails. Anyone know how I might open > up hardware > > access to user apache? Or how to get apache to run the script AS root? > > Can't you chown the parallel port device? "chown apache:apache /dev/lp0" > or something? It's acessing the port directly. Thanks, TTYL ---------------------------------- Herbert's PIC Stuff: http://repatch.dyndns.org:8383/pic_stuff/ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

> Suid works here. Make the program root.root 4510 and have it touch a file > in /tmp. This will tell you what permissions it runs under. > > Peter I have the following set: -rwsr-xr-x 1 root root 239 Jan 8 21:05 test.pl and get the following when I run as another user: # ./test.pl Can't do setuid Thanks, TTYL ---------------------------------- Herbert's PIC Stuff: http://repatch.dyndns.org:8383/pic_stuff/ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

Linux does not honor suid shell scripts for security reasons: http://lists.debian.org/debian-security/2000/debian-security-200006/msg00025.html I ran into this awhile ago. I wrote a little binary that's suid root to run some scripts I have that must run as root. I don't know the situation for perl. Jesse Herbert Graf wrote: {Quote hidden}>>Suid works here. Make the program root.root 4510 and have it touch a file >>in /tmp. This will tell you what permissions it runs under. >> >>Peter > > > I have the following set: > -rwsr-xr-x 1 root root 239 Jan 8 21:05 test.pl > > and get the following when I run as another user: > # ./test.pl > Can't do setuid > > Thanks, TTYL > > ---------------------------------- > Herbert's PIC Stuff: > http://repatch.dyndns.org:8383/pic_stuff/ > > -- > http://www.piclist.com hint: The PICList is archived three different > ways. See http://www.piclist.com/#archives for details. > > -- "There are 10 kinds of people in the world; those who understand binary and those who don't." -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

The call to give permissions to non-root programs for a range of i/o ports is: ioperm() As in, ioperm(0x378,3,1) (from root) to "open" the SPP. I use it in a binary to open the parallel port (for streaming data to an LED sign) in an embedded linux system. The executable is suid root, and it drops root privileges right after this call. According to the manpage, ioperm() settings are inherited to processes started with exec(), so you could have a setuid binary that calls ioperm() and then exec()s your perl script. That perl script should be able to use the parallel port. Let me know how it works out. Jesse Herbert Graf wrote: {Quote hidden}>>Are you sure the script will run without accessing the port? >>Have you tried commenting out that part and running the script as >>apache (or whatever uid apache is running as?) Also, if your >>script runs with a gid the same as /dev/lp* and the mode for >>/dev/lp* is 660 or better it should work. > > > The script is working fine since apache returns the right content string > and if I take out the call the to the program that accesses the port > everything works out fine. > > As for the program, I didn't write it so I don't know how it accesses the > port, I believe it is doing it directly (it's not accessing a printer). All > I know is if I run the program as root everything is fine, if I run it as > apache I get an "access to port=0x378 denied", or something like that. > Thanks, TTYL > > ---------------------------------- > Herbert's PIC Stuff: > http://repatch.dyndns.org:8383/pic_stuff/ > > -- -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

On Fri, Jan 09, 2004 at 10:17:54AM -0500, Herbert Graf wrote: > > What is the device that's hooked up to the parallel port? If it is > > custom hardware then I guess the right way would be to write a kernel > > mode driver for it and access it from /dev. > > It's a parallel port web cam, > I didn't write the program, > therefore I can't write a device driver. OK. All of this is helpful. I presume that all of this works when you run from the command line right? > > > You mentioned something about image data. Is it a camera hooked up to > > the parallel port? Why not have the camera image saved some place on > > disk and have your script return the image file? > > Because it still has to run as root, which is what I'm asking about. The problem as others have pointed out is that the ioperm calls for direct port access requires root access. One techique that I've used in the past is to write a local network deamon that does the work then have the script call the deamon using netpipes. Since the daemon runs as root, it should have no problem picking up the camera. Another way to simplify this process is to have a deamonized script that simply snaps a current image over a certain interval. The your apache CGI can pick up whatever the last image snapped was. It should be no problem even if it's 15 seconds slow. Hope this helps, BAJ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

On Fri, Jan 09, 2004 at 10:26:32AM -0500, Herbert Graf wrote: > > On Thu, 8 Jan 2004, Herbert Graf wrote: > > > I have a script on a linux machine that runs a program that accesses the > > > parallel port. It seems that I can only access the port as > > root. The problem > > > is I'd like to run the script as apache (in the cgi-bin). > > > > > > I've tried setuid but that fails. Anyone know how I might open > > up hardware > > > access to user apache? Or how to get apache to run the script AS root? > > > > Can't you chown the parallel port device? "chown apache:apache /dev/lp0" > > or something? > > It's acessing the port directly. Thanks, TTYL To clarify, it's using the ioperm call to facilitate access. This mechanism doesn't use the driver associated with /dev/lpX, so the permissions on that port. Take a read here for more details: http://www.tldp.org/HOWTO/IO-Port-Programming-2.html BAJ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

On Fri, Jan 09, 2004 at 10:28:41AM -0500, Herbert Graf wrote: > > Suid works here. Make the program root.root 4510 and have it touch a file > > in /tmp. This will tell you what permissions it runs under. > > > > Peter > > I have the following set: > -rwsr-xr-x 1 root root 239 Jan 8 21:05 test.pl > > and get the following when I run as another user: > # ./test.pl > Can't do setuid Perl is special because it doesn't run natively, but is run by the perl interpreter, which doesn't have the suid bit set. If it's a perl script you wish to run, take a look around for suidperl or perl-suid, which allows you to perform those tasks. So is the webcam program written in perl? BAJ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

On Fri, Jan 09, 2004 at 10:22:46AM -0500, Herbert Graf wrote: > > >>>> I have a script on a linux machine that runs a program that > > >>>> accesses the > > >>>> parallel port. It seems that I can only access the port as > > >>> root. The problem > > >>>> is I'd like to run the script as apache (in the cgi-bin). > > >>>> > > > > I've heard of a similar problem addressed by simply changing the 'file' > > protection of /dev/whatever-the-parallel-port-is-called to permit > > non-root access. Have you tried that? > > I changed the access to lp0 (and an entry called parport0) to xwr for all > users, still the same problem. I believe this is the case since the program > isn't accessing the port through the lp0 mechanism. Thanks, TTYL Correct. This is a classic ioperm issue. And it makes sense because one does not want random non root programs to have direct I/O port access. The way this is typically done is: 1) Write a suid wrapper in C that opens the ports, then drops the execution back to the ordinary user. 2) Then have the wrapper call the original program using exec. Since it replaces the same process, and that process has ioperm permissions, then resulting program can then access the ioports. Note that non of this works with scripts, because scripts are interpreted by other programs. So you'll have to pay close attention if this is a Perl, Python, or shell script. Your exec will have to involk the interpreter directly. It's not easy on purpose. Direct I/O port access is a violation of modern OS boundaries. SUID can create security holes big enough to drive a truck through. Hope this helps, BAJ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

> > It's a parallel port web cam, > > I didn't write the program, > > therefore I can't write a device driver. > > OK. All of this is helpful. I presume that all of this works when you run > from the command line right? Yes. > Another way to simplify this process is to have a deamonized script that > simply snaps a current image over a certain interval. The your apache CGI > can pick up whatever the last image snapped was. It should be no problem > even if it's 15 seconds slow. That's not an option for the app in question. Thanks anyways. TTYL ---------------------------------- Herbert's PIC Stuff: http://repatch.dyndns.org:8383/pic_stuff/ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

On Fri, Jan 09, 2004 at 02:47:38PM -0500, Herbert Graf wrote: > > > It's a parallel port web cam, > > > I didn't write the program, > > > therefore I can't write a device driver. > > > > OK. All of this is helpful. I presume that all of this works when you run > > from the command line right? > > Yes. > > > Another way to simplify this process is to have a deamonized script that > > simply snaps a current image over a certain interval. The your apache CGI > > can pick up whatever the last image snapped was. It should be no problem > > even if it's 15 seconds slow. > > That's not an option for the app in question. Thanks anyways. TTYL OK. Then let's get some futher clarification: 1) What type of file is the program that actually accessing the port? Is it an executable or a script? What's its SUID status? 2) What's the CGI? Is it an executable or a script? What is its SUID status? 3) What is the connection between the script and the program that accesses the webcam? 4) What error do you get when you attempt to involk the webcam program from the script. I'd like to help, but I need more information. BAJ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

> > That's not an option for the app in question. Thanks > anyways. TTYL > > OK. Then let's get some futher clarification: > > 1) What type of file is the program that actually accessing the > port? Is it > an executable or a script? What's its SUID status? It's an executable. It's suid is set, it's owned by root:root and allows all to execute. > 2) What's the CGI? Is it an executable or a script? What is its > SUID status? It's a perl script, it has it's SUID bit set and is owned by root:root. > 3) What is the connection between the script and the program that > accesses the > webcam? I checks a few files, runs the capture program, runs another program that transforms the image based on some settings and outputs the result. The script returns content type jpg and spits out the jpg data. It works as root, and it works if I change it to work on output saved from before. > 4) What error do you get when you attempt to involk the webcam > program from > the script port = 0x378: access denied, or something like that. > I'd like to help, but I need more information. Thanks, TTYL ---------------------------------- Herbert's PIC Stuff: http://repatch.dyndns.org:8383/pic_stuff/ -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

James Newton, webhost wrote: RE: [OT:] New Years Resolution - Colon on inside of [..] > > the FAQ on www.piclist.com/techref/piclist/listfaq.htm > > says to put the colon on the outside of the square bracket. > > What? It looks right to me.... <GRIN> I just edited it. Now I have to > remember how to replace that welcome message. Herbert Graf, admin wrote: [OT]: Linux Help Help me, please, which version is active now: "Colon on inside of" or "Colon on outside of" ? I wouldn't care at all, but I was told after my New Year post to use colons correctly and now I'm just trying to figure out the way to obey rules. Mike. -- http://www.piclist.com hint: The PICList is archived three different ways. See http://www.piclist.com/#archives for details.

> I have the following set: > -rwsr-xr-x 1 root root 239 Jan 8 21:05 test.pl > > and get the following when I run as another user: > # ./test.pl > Can't do setuid You can setuid a script but it is useless. You have to setuid the interpreter (perl in this case). This is not such a good idea imho but for trying it out once, you could ... Peter -- http://www.piclist.com#nomail Going offline? Don't AutoReply us! email .....listservKILLspam@spam@mitvma.mit.edu with SET PICList DIGEST in the body

On Fri, Jan 09, 2004 at 04:00:44PM -0500, Herbert Graf wrote: Herbert, I hadn't heard back. Any luck? {Quote hidden}>>> That's not an option for the app in question. Thanks >>anyways. TTYL >> >>OK. Then let's get some futher clarification: >> >>1) What type of file is the program that actually accessing the >>port? Is it >> an executable or a script? What's its SUID status? > > It's an executable. It's suid is set, it's owned by root:root and allows >all to execute. Check. > >>2) What's the CGI? Is it an executable or a script? What is its >>SUID status? > > It's a perl script, it has it's SUID bit set and is owned by root:root. I'm pretty sure that it doesn't matter as we've talked about before. The script is interpreted by an executable that most likely isn't set suid root. > >>3) What is the connection between the script and the program that >>accesses the >> webcam? > > I checks a few files, > runs the capture program, Now here's the interesting part. Since the executable is suid root, and anyone can run it, then when Apache runs this, it should turn suid root and work. Could the problem be where you are running the application? The command line will have a different working directory than when apache runs. > runs another program that >transforms the image based on some settings and outputs the result. The >script returns content type jpg and spits out the jpg data. It works as >root, and it works if I change it to work on output saved from before. So there's something about the actual execution of the executable from the perl script that fails. I'd probably test with a dummy SUID executable that prints the UID, EUID, and working directory to a log file. Test from the command line, and then from your CGI script. The into will probably give you the difference in the two. > >>4) What error do you get when you attempt to involk the webcam >>program from >> the script > > port = 0x378: access denied, or something like that. That sounds like an ioport call from a non root user. Maybe apache is forcing the suid app to not run in suid mode? That would be a good security feature. But I have a couple of scripting apps that are SUID, and they work fine when invoked from Apache. Questions, Questions. BAJ -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

> On Fri, Jan 09, 2004 at 04:00:44PM -0500, Herbert Graf wrote: > > Herbert, > > I hadn't heard back. Any luck? Nope. {Quote hidden}> >>3) What is the connection between the script and the program that > >>accesses the > >> webcam? > > > > I checks a few files, > > runs the capture program, > > Now here's the interesting part. Since the executable is suid > root, and anyone > can run it, then when Apache runs this, it should turn suid root and work. > Could the problem be where you are running the application? The > command line > will have a different working directory than when apache runs. The app, although it's setuid root, always reports permission denied. I changed the source to print out the uid it's running under, and when run as root it reports being run at uid zero, yet when I run it as another user, even though it has the setuid bit set, it reports a uid of 500. I can't figure out why the setuid isn't working. I haven't had much more time to deal with this, however it's a perfect example of why Linux is still slow to catch on, simple things like this can hit experienced people, imagine a user who doesn't know what they are doing? I love Linux, but the patchwork of "getting around" it's built in security is a nightmare. TTYL -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads

Herbert Graf wrote: > > The app, although it's setuid root, always reports permission denied. I > changed the source to print out the uid it's running under, and when run as > root it reports being run at uid zero, yet when I run it as another user, > even though it has the setuid bit set, it reports a uid of 500. I can't > figure out why the setuid isn't working. > Of course, there's the issue of actual UID and effective UID. They're not the same thing. As I recall, setuid only affects effective UID. The actual UID stays the same as the actual user running it. Going from memory here, mind. Don't have my manpages to hand. Of course, setuid on scripts is *not* honoured by the kernel, unless the kernel has been patched. I'd double-check the app, make sure it isn't a script. A running of file on it will double-check that. Secondly, are you sure it isn't relinquishing root privs on you? Try running an strace on it and watch what happens. -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics