web server user id in at.deny list?

web server user id in at.deny list?

Post by Chris Coyl » Sat, 06 Apr 2002 05:07:31



Hey all,
[and i apologize for cross-posting - im not sure who would know this]

I have a program which runs in a child process of the web server (httpd).
At some point it needs to wait for about a minute for some external stuff
to happen, then send a mail message and then exit.
I had an idea to queue up a job using at, something like this:

        system("echo \"mailcommand...\" | at now + 1 minute");

When I tried this out in a test program it worked perfectly, but then
I discovered I can't use it becuse on our system the httpd runs with a
user id which is in the at.deny list.

The only alternative I've found is to have the program fork off another
child process which would sleep for 1 minute and then wake up, send the
message and then die.  This seems messy because the child would hold open
anything it inherits, (unless I explicitly release it all), and the httpd
could get confused by an unexpected SIGCHLD.

So, my question is what are the risks (if any) of allowing the web server
user id to run at jobs?  I think the queued job runs with the same user id,
so I don't see the point in denying it.

Hey all,
[and i apologize for cross-posting]

I have a program which runs in a child process of the web server (httpd).
At some point it needs to wait for about a minute for some external stuff
to happen, then send a mail message and then exit.
I had an idea to queue up a job using at, something like this:

        system("echo \"mailcommand...\" | at now + 1 minute");

When I tried this out in a test program it worked perfectly, but then
I discovered I can't use it becuse on our system the httpd runs with a
user id which is in the at.deny list.

The only alternative I've found is to have the program fork off another
child process which would sleep for 1 minute and then wake up, send the
message and then die.  This seems messy because the child would hold open
anything it inherits, (unless I explicitly release it all), and the httpd
could get confused by an unexpected SIGCHLD.

So, my question is what are the risks (if any) of allowing the web server
user id to run at jobs?  I think the queued job runs with the same user id,
so I don't see the point in denying it.

 
 
 

web server user id in at.deny list?

Post by Clar » Sat, 06 Apr 2002 06:28:31



> Hey all,
> [and i apologize for cross-posting - im not sure who would know this]

> I have a program which runs in a child process of the web server (httpd).
> At some point it needs to wait for about a minute for some external stuff
> to happen, then send a mail message and then exit.
> I had an idea to queue up a job using at, something like this:

>         system("echo \"mailcommand...\" | at now + 1 minute");

> When I tried this out in a test program it worked perfectly, but then
> I discovered I can't use it becuse on our system the httpd runs with a
> user id which is in the at.deny list.

> The only alternative I've found is to have the program fork off another
> child process which would sleep for 1 minute and then wake up, send the
> message and then die.  This seems messy because the child would hold open
> anything it inherits, (unless I explicitly release it all), and the httpd
> could get confused by an unexpected SIGCHLD.

> So, my question is what are the risks (if any) of allowing the web server
> user id to run at jobs?  I think the queued job runs with the same user id,
> so I don't see the point in denying it.

Another solution would be to have the process write the message to a
file that the world can read and delete.  Have another process running
under a secure userid that will look for that file, mail the mail the
file, delete the file and terminate.

If your website is out in the real world a hacker could use the at
command to issue a huge number of jobs that would fill up your file
system and bring down your server as well as whatever else was on that
same file system.

--
Clark Zahn
Registered linux user 267087

 
 
 

web server user id in at.deny list?

Post by Michael Heimin » Sat, 06 Apr 2002 07:01:28



[..]

Quote:> So, my question is what are the risks (if any) of allowing the web
> server
> user id to run at jobs?  I think the queued job runs with the same
> user id, so I don't see the point in denying it.

Hi Chris,

presuming you are running apache, there's no need you can use
'suexec', comes with apache, and allows you to run your CGI under
some other, preferable drastically restricted user, to minimize
risk, like a DOS attack. Check the docs at apache.org.

Good luck

Michael Heiming
--
Remove the +SIGNS case mail bounces.

 
 
 

1. Web Server/User ID??

Hey, I'm a dummy and need an answer from you UNIX gurus.
  If I'm not imposing, I would appreciate an e-mail answer. Thanks.

Here you go:

A question came up in a discussion tonight and I'm not sure I know the
correct answer.

A friend states that his son works analyzing vistor flow for web site
from a large on-line communication company which is newpaper related.
I do not know if he analyzes server logs or "user registration" for
the site.  Anyway,the guy asserted that visitor user id can be
ascertained for that and any other web site.
I doubt this; my opinion is backed up by a friend in the communication
software business.  
How precisely does a visitor to a website identify himself?  I know
that the domain names are given always, and after looking at my own
logs it appears that sometimes  vistors identiified by user name and
domain.  Some are identified by IP address numbers; some are visitors
from a domain which is running a proxy. But I presume there are many
times when user ID cannot be ascertained. For example, it has always
been my assumption that a visitor who has a dynamic IP address cannot
be easily identified.  
Thus, I believe that log analysis can perhaps sometimes reveal a
user's name, but not always.   True or not?
Of course, if the site has some "registration" procedure then the
situation is different.
Or perhaps there are other ways to get user ID?

Thanks,
pcf

2. A question about trn and rn

3. user id vs effective user id

4. color Xterm

5. sun to as/400 solution?

6. Mailing lists for web servers or the apache server

7. empty lspci, /proc/pci

8. how to user C language to convert a known user id to a user name

9. Netscape Proxy-Server: deny-list

10. set user id and set group id bits

11. : .htaccess denied by Apache web-server

12. Finding out User Id given Process id