Hi Folks,

Hopefully this is a quickie. I've written a Perl script which

1) I call to initialise - this then schedules another run using the 'at'
command

2) is run by 'at' at the appropriate time to carry out the required task

This works fine under the developer user but when I call it from PHP in my web
server the 2nd part fails and generates the following email.

Subject: Output from your job 17
From: Apache <apache@ringways.co.uk>
To: apache@ringways.co.uk
Date: Today 18:51:00

This account is currently not available.

I have tried creating /etc/at.allow and adding apache. /etc/at.deny us empty

it still doesn't work. Can anyone suggest what I need to do next please.

Gary
--
Gary Stainburn
Group I.T. Manager
Ringways Garages
http://www.ringways.co.uk
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 16Jun2011 18:58, Gary Stainburn <gary.stainburn@ringways.co.uk> wrote:
| Hopefully this is a quickie. I've written a Perl script which
|
| 1) I call to initialise - this then schedules another run using the 'at'
| command
|
| 2) is run by 'at' at the appropriate time to carry out the required task
|
| This works fine under the developer user but when I call it from PHP in my web
| server the 2nd part fails and generates the following email.
|
| Subject: Output from your job 17
| From: Apache <apache@ringways.co.uk>
| To: apache@ringways.co.uk
| Date: Today 18:51:00
|
| This account is currently not available.
|
| I have tried creating /etc/at.allow and adding apache. /etc/at.deny us empty
|
| it still doesn't work. Can anyone suggest what I need to do next please.

Might the account be "locked"? Check out the /etc/shadow file - "!!"
instead of "x" in the crypt field. May as well check the account has a
shell too: /bin/sh instead of /bin/false.

Cheers,
--
Cameron Simpson <cs@zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

"I wish it need not have happened in my time," said Frodo.
"So do I," said Gandalf, "and so do all who live to see such times. But that
is not for them to decide. All we have to decide is what to do with the time
that is given us."
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 06/16/2011 04:41 PM, Cameron Simpson wrote:
> On 16Jun2011 18:58, Gary Stainburn <gary.stainburn@ringways.co.uk> wrote:
> | Hopefully this is a quickie. I've written a Perl script which
> |
> | 1) I call to initialise - this then schedules another run using the 'at'
> | command
> |
> | 2) is run by 'at' at the appropriate time to carry out the required task
> |
> | This works fine under the developer user but when I call it from PHP in my web
> | server the 2nd part fails and generates the following email.
> |
> | Subject: Output from your job 17
> | From: Apache <apache@ringways.co.uk>
> | To: apache@ringways.co.uk
> | Date: Today 18:51:00
> |
> | This account is currently not available.
> |
> | I have tried creating /etc/at.allow and adding apache. /etc/at.deny us empty
> |
> | it still doesn't work. Can anyone suggest what I need to do next please.
>
> Might the account be "locked"? Check out the /etc/shadow file - "!!"
> instead of "x" in the crypt field. May as well check the account has a
> shell too: /bin/sh instead of /bin/false.

Indeed, that's it. The "at" command runs a shell as the user who
submitted the job. User "apache" generally is not a valid login user
(can't run a shell), so the "at" job can't run.

Note that this is also true if you try to do cron jobs for a user that
hasn't got shell access.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, C2 Hosting ricks@nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- You possess a mind not merely twisted, but actually sprained. -
----------------------------------------------------------------------
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Friday 17 June 2011 01:40:18 Rick Stevens wrote:
> On 06/16/2011 04:41 PM, Cameron Simpson wrote:
> > On 16Jun2011 18:58, Gary Stainburn <gary.stainburn@ringways.co.uk> wrote:
> > | Hopefully this is a quickie. I've written a Perl script which
> > |
> > | 1) I call to initialise - this then schedules another run using the
> > | 'at' command
> > |
> > | 2) is run by 'at' at the appropriate time to carry out the required
> > | task
> > |
> > | This works fine under the developer user but when I call it from PHP in
> > | my web server the 2nd part fails and generates the following email.
> > |
> > | Subject: Output from your job 17
> > | From: Apache <apache@ringways.co.uk>
> > | To: apache@ringways.co.uk
> > | Date: Today 18:51:00
> > |
> > | This account is currently not available.
> > |
> > | I have tried creating /etc/at.allow and adding apache. /etc/at.deny us
> > | empty
> > |
> > | it still doesn't work. Can anyone suggest what I need to do next
> > | please.
> >
> > Might the account be "locked"? Check out the /etc/shadow file - "!!"
> > instead of "x" in the crypt field. May as well check the account has a
> > shell too: /bin/sh instead of /bin/false.
>
> Indeed, that's it. The "at" command runs a shell as the user who
> submitted the job. User "apache" generally is not a valid login user
> (can't run a shell), so the "at" job can't run.
>
> Note that this is also true if you try to do cron jobs for a user that
> hasn't got shell access.

Thanks Gents,

Shadow already had !! but passwd had /sbin/nologin

Changed it to /bin/bash and it works great.

Gary
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 06/17/2011 04:24 PM, Gary Stainburn wrote:
> Thanks Gents,
>
> Shadow already had !! but passwd had /sbin/nologin
>
> Changed it to /bin/bash and it works great.

I'm not so sure giving user apache a shell is a good idea.

Depending on the type of web pages you serve you may find there to be a
buffer overflow vulnerability which gives an attacker a shell and allows
them to execute arbitrary commands as "apache".

I smell "danger Will Robinson"!
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Friday 17 June 2011 09:32:59 Ed Greshko wrote:
> Depending on the type of web pages you serve you may find there to be a
> buffer overflow vulnerability which gives an attacker a shell and allows
> them to execute arbitrary commands as "apache".
>
> I smell "danger Will Robinson"!

You do have a valid point, but this is a non-public low-risk server used for
internal admin stuff.

--
Gary Stainburn
Group I.T. Manager
Ringways Garages
http://www.ringways.co.uk
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Friday 17 June 2011 09:32:59 Ed Greshko wrote:
> Depending on the type of web pages you serve you may find there to be a
> buffer overflow vulnerability which gives an attacker a shell and allows
> them to execute arbitrary commands as "apache".
>
> I smell "danger Will Robinson"!

You do have a valid point, but this is a non-public low-risk server used for
internal admin stuff.

--
Gary Stainburn
Group I.T. Manager
Ringways Garages
http://www.ringways.co.uk
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Ed Greshko:
>> Depending on the type of web pages you serve you may find there to be a
>> buffer overflow vulnerability which gives an attacker a shell and allows
>> them to execute arbitrary commands as "apache".
>>
>> I smell "danger Will Robinson"!

Gary Stainburn:
> You do have a valid point, but this is a non-public low-risk server used for
> internal admin stuff.

Though that may lead to complacency, and someone may find a way to cause
you problems that you hadn't thought of. You are probably far better
finding a way to run your command as some other user, triggered by your
risky apache user.

Generally, risky users are prevented from being able to run things for
good reasons; and you're best not to shred your security blankets for
the sake of convenience, now.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 06/17/2011 01:56 PM, Tim wrote:
> Ed Greshko:
>>> Depending on the type of web pages you serve you may find there to be a
>>> buffer overflow vulnerability which gives an attacker a shell and allows
>>> them to execute arbitrary commands as "apache".
>>>
>>> I smell "danger Will Robinson"!
> Gary Stainburn:
>> You do have a valid point, but this is a non-public low-risk server used for
>> internal admin stuff.
> Though that may lead to complacency, and someone may find a way to cause
> you problems that you hadn't thought of. You are probably far better
> finding a way to run your command as some other user, triggered by your
> risky apache user.
>
> Generally, risky users are prevented from being able to run things for
> good reasons; and you're best not to shred your security blankets for
> the sake of convenience, now.
>

Thank you Ed, thank you Tim! I completely agree. Bad/risky practice
can easily carry over at some point to the danger zone, and I think it's
especially important to stress this view/point on mailing lists not that
somebody later will think this is a solution to their problem,
jeopardizing a productive system.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On 06/17/2011 11:12 AM, Robert Cates wrote:
> On 06/17/2011 01:56 PM, Tim wrote:
>> Ed Greshko:
>>>> Depending on the type of web pages you serve you may find there to be a
>>>> buffer overflow vulnerability which gives an attacker a shell and allows
>>>> them to execute arbitrary commands as "apache".
>>>>
>>>> I smell "danger Will Robinson"!
>> Gary Stainburn:
>>> You do have a valid point, but this is a non-public low-risk server used for
>>> internal admin stuff.
>> Though that may lead to complacency, and someone may find a way to cause
>> you problems that you hadn't thought of. You are probably far better
>> finding a way to run your command as some other user, triggered by your
>> risky apache user.
>>
>> Generally, risky users are prevented from being able to run things for
>> good reasons; and you're best not to shred your security blankets for
>> the sake of convenience, now.
>>
>
> Thank you Ed, thank you Tim! I completely agree. Bad/risky practice
> can easily carry over at some point to the danger zone, and I think it's
> especially important to stress this view/point on mailing lists not that
> somebody later will think this is a solution to their problem,
> jeopardizing a productive system.

May I recommend you create some unprivileged user (I use the name
"avatar"), then set up sudo to permit user "apache" to run the "at"
command as user "avatar" without a password? Something like:

avatar ALL = NOPASSWD:/usr/bin/at

Then your PHP script could:

exec("sudo -u innocuoususer at blah-blah");

and the at command would run as "avatar". You could set "apache" back
to /bin/nologin and be quite a bit safer.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, C2 Hosting ricks@nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- If you can't beat your computer at chess...try kickboxing! -
----------------------------------------------------------------------
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines