HPE Community
Operating System - HP-UX
1819965 Members
3439 Online
109607 Solutions
New Discussion юеВ

execute sudo via perl script

 
SOLVED
Go to solution
'chris'
Super Advisor

тАО07-22-2005 11:38 AM

тАО07-22-2005 11:38 AM

execute sudo via perl script

hi

I've written a perl script using sudo, but it won't work:
---------------------------------------------------------------------------
#!/usr/bin/perl -w

use CGI::Carp qw(fatalsToBrowser);
use CGI;
my $query = new CGI;

# write the log
BEGIN
{
use CGI::Carp qw(carpout);
my $errorlog = "/var/tmp/errorlog.txt";
open(LOG, ">$errorlog") or die("Unable to open $errorlog: $!\n");
print LOG "Errors:\n";
carpout(*LOG);
}

print $query->header;
print "\n";
print "\n";
print "ntop startup script\n";
print "\n";
print "\n";
print "\n";
print "
";
print "


";
print "


";

'sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh stop' or die "cannot execute stop: $!";

sleep(8);

$cc = 'sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh start' or die "cannot execute start: $!";

print "Status: ",$cc,"\n";

print "";
print "";

exit($cc);
---------------------------------------------------------------------------

In errorlog.txt I have following output:

[Sat Jul 23 01:34:17 2005] ntop3.cgi: Found = in conditional, should be == at /usr/local/www/cgi-bin/ntop/ntop3.cgi line 36.
[Sat Jul 23 01:34:22 2005] ntop3.cgi: Argument "sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh start" isn't numeric in exit at /usr/local/www/cgi-bin/ntop/ntop3.cgi line 43.
Errors:

but the script doesn't execute ntop.sh
knows someone howto correct it ?
0 Kudos
Reply
14 REPLIES 14
Devender Khatana
Honored Contributor

тАО07-23-2005 04:11 AM

тАО07-23-2005 04:11 AM

Solution

Re: execute sudo via perl script

Hi,

I suspect you have one of these two cases not met.

1. Sudo config without password is required here.

2. sh is added in your sudoers file rather than sh /usr/local/www/cgi-bin/ntop/ntop.sh start or stop.

I would suggest not using sh and directly executing the command itself. i.e. /usr/local/www/cgi-bin/ntop/ntop.sh

Can you also post how your sudoers look like.

What is the output if you do
#sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh stop

HTH,
Devender
Impossible itself mentions "I m possible"
Reply
'chris'
Super Advisor

тАО07-23-2005 04:40 AM

тАО07-23-2005 04:40 AM

Re: execute sudo via perl script

thanks,

sudoers file looks:
---------------------------------------------------------------------------------------------
# sudoers file.
# User privilege specification
root ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL

# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now

%www ALL=(ALL) NOPASSWD: ALL

www ALL = NOPASSWD: /usr/local/www/cgi-bin/ntop/ntop.sh
---------------------------------------------------------------------------------------------

I can only try from command line as a root user, because
# su www
This account is currently not available.

perhaps www user has no /home directory and I cannot login into.

# sudo -u www /usr/local/www/cgi-bin/ntop/ntop.sh stop
# sudo -u www /usr/local/www/cgi-bin/ntop/ntop.sh start
ntopbsd#

# ps aux | grep ntop
root 27200 0.0 0.2 352 204 p3 R+ 6:37PM 0:00.00 grep ntop

ntop won't start.
0 Kudos
Reply
Devender Khatana
Honored Contributor

тАО07-23-2005 05:08 AM

тАО07-23-2005 05:08 AM

Re: execute sudo via perl script

Hi,

I suspect that the reason for this error is that your user account is not available. www is a default system user with root directory defined as /. I think if you solve the user account problem first you shall be able to go through it.

See the /etc/password entry for www user.

Try deleting the password for user using
#passwd -d www

Or changing password for the user using
#passwd www

Which shall enable the account.

HTH,
Devender
Impossible itself mentions "I m possible"
Reply
'chris'
Super Advisor

тАО07-23-2005 05:39 AM

тАО07-23-2005 05:39 AM

Re: execute sudo via perl script

in /etc/passwd I have following entry:

www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin

should I change to:

www:*:80:80:World Wide Web Owner:/nonexistent

or

www:*:80:80:World Wide Web

0 Kudos
Reply
'chris'
Super Advisor

тАО07-23-2005 06:35 AM

тАО07-23-2005 06:35 AM

Re: execute sudo via perl script

from command line I can stop and start ntop:

# sudo -u www sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh stop

# sudo -u www sudo sh /usr/local/www/cgi-bin/ntop/ntop.sh start

# ps aux | grep ntop
root 37656 0.0 0.2 352 208 p2 R+ 8:36PM 0:00.00 grep ntop


0 Kudos
Reply
Devender Khatana
Honored Contributor

тАО07-23-2005 09:29 AM

тАО07-23-2005 09:29 AM

Re: execute sudo via perl script

Hi,

Sorry for the delay as I was stucked in a severe problem.

But I do not find any difference in the two outputs of starting the service with or without sudo. Try to solve this first so that your service atleast starts properly from command line without sudo.

My www entry look like this.

www:*:30:1::/:
This is user with no shell.
===================================
%www ALL=(ALL) NOPASSWD: ALL

www ALL = NOPASSWD: /usr/local/www/cgi-bin/ntop/ntop.sh
=======================================

Your first entry in sudoers is for www group rather then user & second entry in not complete.

Change last entry to

www hostname= NOPASSWD:/usr/local/www/cgi-bin/ntop/ntop.sh

And then try to start service using sudo.
I would suggest you put some simple command through sudo to check syntax errors in sudoers before putting your actual command here.

HTH,
Devender
Impossible itself mentions "I m possible"
Reply
'chris'
Super Advisor

тАО07-23-2005 10:48 AM

тАО07-23-2005 10:48 AM

Re: execute sudo via perl script

I changed sudoers to:

www bsd = NOPASSWD: /usr/local/www/cgi-bin/ntop/ntop.sh

I can run sudo as www user from command without errors
and execute the ntop.sh script.

what I'm not understanding is, why I cannot run
my perl script without errors from command line ?
0 Kudos
Reply
Devender Khatana
Honored Contributor

тАО07-23-2005 12:00 PM

тАО07-23-2005 12:00 PM

Re: execute sudo via perl script

Hi,

The only difference between the sudo called from perl script & your session is the shell. Your shell used /bin/sh or /sbin/sh whereas your perl script uses /usr/bin/perl. Now I think you need to add /bin/sh or /sbin/sh ( Which ever is your shell from which it works fine) to sudoers file and then call your command within perl script to start/stop service.

Something similar what you need in the beginning but adding shell to sudoers with complete path and changing perl script to call command with complete path.

HTH,
Devender
Impossible itself mentions "I m possible"
Reply
'chris'
Super Advisor

тАО07-23-2005 12:45 PM

тАО07-23-2005 12:45 PM

Re: execute sudo via perl script

I solved this problem:

this perl code does his job very well:
-------------------------------------------------------------------------------------------------------------
system `/usr/local/www/cgi-bin/ntop/ntop.sh stop` or die "cannot stop ntop: $!";
sleep(8);
$cc = `sudo /usr/local/www/cgi-bin/ntop/ntop.sh start` or die "cannot start ntop: $!";
print "status: ",$cc,"\n";
--------------------------------------------------------------------------------------------------------------
now I can stop & start ntop via browser !

greetings
chris
0 Kudos
Reply
'chris'
Super Advisor

тАО07-24-2005 12:22 PM

тАО07-24-2005 12:22 PM

Re: execute sudo via perl script

I have only one problem with sudo.

if I restart the server I cannot execute sudo via browser,
I must first restart the apache, then is working.

it seems after server restart apache does ignore sudo.
how to configure apache to accept sudo after server restart ?

maybe apache starts before sudo getting active ?
0 Kudos
Reply
Ralph Grothe
Honored Contributor

тАО07-24-2005 06:20 PM

тАО07-24-2005 06:20 PM

Re: execute sudo via perl script

Hi Chris,

btw. what gid is your webserver run as?

Though I'm not that much into sudo to know sudoers syntax by heart I would translate that line, that's part of your sodoers

%www ALL=(ALL) NOPASSWD: ALL

as,
"allow any user of system group www to run any command as any user without requiring a password".

If my crude translation is correct and your webserver is run as group www I'd consider this highly insecure.
The webserver's child procs/thread should have as little permissions as possible.

Your Perl backticks and system() calls are ok as long as the commands that are executed such way don't include any client input.
Otherwise for CGI scripts it's recommended to avoid the shell altogether by doing a manual fork() and exec() or system() (pass them list of arguments instead of a single string), or use the open() call with "-|" if you want to read the child's output, or "|-" if you want to write to the child.

I'd also suggest to enable taint mode for any server side scripting code that's executed by publicly accessible daemons.
Just appent a "-T" in the shebang, and Perl will moan about any tainted code bits it discovers and reject execution until those are untainted by your code.

See "perldoc perlsec".


Madness, thy name is system administration
0 Kudos
Reply
'chris'
Super Advisor

тАО07-25-2005 12:59 AM

тАО07-25-2005 12:59 AM

Re: execute sudo via perl script

hi

sorry I've forgotten, to post my new sudo entry:

in sudoers i have:
------------------------------------------------------------------------------------
www bsd = NOPASSWD: /usr/local/www/cgi-bin/ntop/ntop.sh
------------------------------------------------------------------------------------
I completely agree with you, otherwise will be dangerous.

I changed to:
#!/usr/bin/perl -T

and now I get following error in the browser:
-----------------------------------------------------------------------------------------
Software error:

Insecure $ENV{PATH} while running with -T switch at /usr/local/www/cgi-bin/ntop/ntop.cgi line 44.
-----------------------------------------------------------------------------------------

line 44 is:
----------------------------------------------------------------------------------------------------------
system `/usr/local/www/cgi-bin/ntop/ntop.sh stop` or die "cannot stop ntop: $!";
----------------------------------------------------------------------------------------------------------

if I stop and start the Apache, then it works well, but I must change
#!/usr/bin/perl -T
back to:
#!/usr/bin/perl -w
otherwise I get this "Insecure" message in the browser.

I think this problem is on Apache self.

kind regards
chris
0 Kudos
Reply
'chris'
Super Advisor

тАО07-25-2005 08:59 AM

тАО07-25-2005 08:59 AM

Re: execute sudo via perl script

this code solved my problem:
----------------------------------------------------------------------------------------------------------
my $cc = `/usr/local/bin/sudo /usr/local/www/cgi-bin/ntop/ntop.sh start`
or die "cannot start ntop: $!";
----------------------------------------------------------------------------------------------------------

greetings
chris
0 Kudos
Reply
Ralph Grothe
Honored Contributor

тАО07-25-2005 07:28 PM

тАО07-25-2005 07:28 PM

Re: execute sudo via perl script

The insecure %ENV message you receive from Perl when run in taint mode has nothing to do with Apache.
Perl is treating among other external influences environment variables as possible candidates to be tainted (i.e. client infiltrated).
To overcome this one usually undefines or redefines explicitly any environment variables that are considererd dangerous (e.g. PATH, time permitting read perldoc perlsec).
This is best done in the child's execution block when you do a fork as it doesn't influence the parent's settings.
Madness, thy name is system administration
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.