Apache as non root with sudo
donald.ritchey at exeloncorp.com
donald.ritchey at exeloncorp.com
Wed Jan 7 13:00:46 EST 2004
Jamie:
My answer (not necessarily the only right one, but one way to do it) is to
recompile apachectl with the Solaris option '-R', which embeds a path list
to the directories containing shared libraries in the executable file for
apachectl, which eliminates the dependency on LD_LIBRARY_PATH.
LD_LIBRARY_PATH is a convenience, which permits you to move shared libraries
around or to have private library directories for different applications
(like Apache and Oracle). This permits you to upgrade individual components
on your system without having to rebuild everything. For example, you could
keep two versions of Oracle on a system, installed in directories
/opt/oracle/release_1 and /opt/oracle/release_2, for use by other programs
that only work with one version of Oracle, but not both. For the
applications needing release_1, the LD_LIBRARY_PATH would include
"Blah:Blahh:/opt/oracle/release_1/lib", and the other applications would use
"Blah:Blahh:/opt/oracle/release_2/lib".
The key thing for our discussion is that, for security reasons to prevent
someone from putting a subverted "libc.so" that would break into a setUID
executable into the LD_LIBRARY_PATH search sequence, the system clears
LD_LIBRARY_PATH and other sensitive environment variables before it executes
the application. This breaks applications that depend on the
LD_LIBRARY_PATH mechanism and forces you to look at workarounds.
Eric showed you a fix that works because, at the moment of execution of
apachectl, the real and effective user IDs are the same.
Working with programs that bridge secure and insecure environments is always
tricky. That is the reason that you have to pay attention to side-effects
of commands and command environments, because that is usually the path an
attacker uses to break into your systems.
Good luck and hope the explanation helps.
Don
Donald L. (Don) Ritchey
E-mail: Donald.Ritchey at exeloncorp.com
-----Original Message-----
From: Jamie Bowden [mailto:jamiebowden at hotmail.com]
Sent: Tuesday, January 06, 2004 10:58 AM
To: Eric.Ladner at ChevronTexaco.com; donald.ritchey at exeloncorp.com
Cc: sudo-users at sudo.ws
Subject: RE: Apache as non root with sudo
# cat /etc/release
Solaris 8 2/02 s28s_u7wos_08a SPARC
Copyright 2002 Sun Microsystems, Inc. All Rights Reserved.
Assembled 18 December 2001
Here is the output of the command you had mentioned:
# env |grep LIBRARY
LD_LIBRARY=/opt/oracle/release/9.2.1/lib:/lib:/usr/openwin/lib:/usr/dt/lib:/
usr/lib
LD_LIBRARY_PATH=/opt/oracle/release/9.2.1/jdbc/lib:/opt/oracle/release/9.2.1
/lib:/usr/local/lib/:/opt/ebill/app/lib:/opt/ebill/app/lib
(bcsun26: root )/
# env |grep SHLIB
(bcsun26: root )/
So what you are saying is I should make the users LD_LIBRARY_PATH = to roots
LD_LIBRARY_PATH & LD_LIBRARY?
Thanks for your help
Jamie
>From: "Ladner, Eric (Eric.Ladner)" <Eric.Ladner at ChevronTexaco.com>
>To: "Jamie Bowden" <jamiebowden at hotmail.com>, donald.ritchey at exeloncorp.com
>CC: sudo-users at sudo.ws
>Subject: RE: Apache as non root with sudo
>Date: Tue, 6 Jan 2004 10:53:10 -0600
>
>What operating system is this?
>
>As root:
>
> env | grep LIBRARY
> env | grep SHLIB
>
>If something shows up (LD_LIBRARY_PATH in my example) try this:
>
>sudo /bin/sh -c "LD_LIBRARY_PATH=/whatever:/shows:/up httpd"
>
>Eric
>
>-----Original Message-----
>From: Jamie Bowden [mailto:jamiebowden at hotmail.com]
>Sent: Tuesday, January 06, 2004 10:47
>To: Ladner, Eric (Eric.Ladner); donald.ritchey at exeloncorp.com
>Cc: sudo-users at sudo.ws
>Subject: RE: Apache as non root with sudo
>
>
>
>
>Here is something that may be interesting:
>
>As the user I run:
># httpd
>Ouch! ap_mm_create(1048576, "/opt/ebill/app/logs/httpd.mm.11004") failed
>Error: MM: mm:core: failed to open semaphore file (Permission denied):
>OS:
>No such file or directory
>
>When I run httpd with sudo - I get my error:
># sudo httpd
>ld.so.1: httpd: fatal: libmm.so.11: open failed: No such file or
>directory
>Killed
>
>
>And if I run httpd as root:
># httpd
>(bcsun26: root) /
>
>Is there something in the linking that root would have that the user
>would
>not?
>
>Jamie
>
> >From: "Ladner, Eric (Eric.Ladner)" <Eric.Ladner at ChevronTexaco.com>
> >To: donald.ritchey at exeloncorp.com
> >CC: jamiebowden at hotmail.com, sudo-users at sudo.ws
> >Subject: RE: Apache as non root with sudo
> >Date: Tue, 6 Jan 2004 10:10:14 -0600
> >
> >
> >Also, depending on your operating system, you can do a chatr
> >/opt/ebill/app/bin/httpd (as in HP-UX) or ldd /opt/ebill/app/bin/httpd
> >(most other Unix's) to see what it's linked aginst. That'll help, most
> >likely.
> >
> >Eric
> >
> >-----Original Message-----
> >From: sudo-users-bounces at sudo.ws [mailto:sudo-users-bounces at sudo.ws] On
> >Behalf Of donald.ritchey at exeloncorp.com
> >Sent: Tuesday, January 06, 2004 9:30 AM
> >To: jamiebowden at hotmail.com; sudo-users at sudo.ws
> >Subject: RE: Apache as non root with sudo
> >
> >
> >Jamie:
> >
> >This looks like an error in the shared library linkage with apachectl.
> >Your apachectl is compiled with linkage to shared libraries that are
>not
> >part of the standard shared library loading environment (probably
> >depending on a LD_LIBRARY_PATH variable to find the library in
> >question). As a security measure to prevent spoofing sensitive set-UID
> >executables, LD_LIBRARY_PATH is cleared for setUID executables when the
> >real user ID is not root.
> >
> >Responses:
> >
> >1. Move the needed library into a library that is in the standard
> >library search path (in Tru64 UNIX, the loader(5) man page tells you
> >what those directories are, for your OS, you may have to do some
> >research to find out where these are) or extend the standard library
> >search path to include the needed directory.
> >
> >2. You may compile in the location of the directory containing the
> >missing shared library into the apachectl executable. Again, this is
> >dependent on the OS and compilers for your environment. Check your man
> >pages for cc(1) and ld(1) for the proper options.
> >
> >Best wishes,
> >
> >Donald L. (Don) Ritchey
> >E-mail: Donald.Ritchey at exeloncorp.com
> >
> >-----Original Message-----
> >From: Jamie Bowden [mailto:jamiebowden at hotmail.com]
> >Sent: Tuesday, January 06, 2004 9:10 AM
> >To: sudo-users at sudo.ws
> >Subject: Apache as non root with sudo
> >
> >
> >Hello,
> >
> >I have installed sudo and am wondering why I cannot get non root users
> >to
> >start apache when that user issues the command "sudo apachectl start"
> >
> >This user has been given 100% root access via sudo command. They can
> >run
> >any command root can.
> >
> >The error message I get is:
> >ld.so.1: /opt/ebill/app/bin/httpd: fatal: libmm.so.11: open failed: No
> >such
> >file or directory
> >Killed
> >/opt/ebill/app/bin/apachectl start: httpd could not be started
> >
> >Does sudo not give the user the same paths as root? Root does not get
> >this
> >message - isn't Sudo supposed to make that user "behave" like root?
> >
> >Any suggestions on what else I could verify?
> >
> >Thanks
> >
> >Jamie Bowden
> >www.atl.bluecross.ca
> >
> >_________________________________________________________________
> >Protect your PC - get McAfee.com VirusScan Online
> >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >
> >____________________________________________________________
> >sudo-users mailing list <sudo-users at sudo.ws>
> >For list information, options, or to unsubscribe, visit:
> >http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> >
> >***********************************************************************
>*
> >This e-mail and any of its attachments may contain Exelon Corporation
> >proprietary information, which is privileged, confidential, or subject
> >to copyright belonging to the Exelon Corporation family of Companies.
> >This e-mail is intended solely for the use of the individual or entity
> >to which it is addressed. If you are not the intended recipient of
>this
> >
> >e-mail, you are hereby notified that any dissemination, distribution,
> >copying, or action taken in relation to the contents of and attachments
> >to this e-mail is strictly prohibited and may be unlawful. If you have
> >received this e-mail in error, please notify the sender immediately and
> >permanently delete the original and any copy of this e-mail and any
> >printout. Thank You.
> >***********************************************************************
>*
> >
> >____________________________________________________________
> >sudo-users mailing list <sudo-users at sudo.ws>
> >For list information, options, or to unsubscribe, visit:
> >http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> >
>
>_________________________________________________________________
>MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
>http://join.msn.com/?page=features/virus&pgmarket=en-ca&RU=http%3a%2f%2f
>join.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
>
>
>
_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=dept/features&pgmarket=en-ca&RU=http%3a%2f%2fjoin.
msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
************************************************************************
This e-mail and any of its attachments may contain Exelon Corporation
proprietary information, which is privileged, confidential, or subject
to copyright belonging to the Exelon Corporation family of Companies.
This e-mail is intended solely for the use of the individual or entity
to which it is addressed. If you are not the intended recipient of this
e-mail, you are hereby notified that any dissemination, distribution,
copying, or action taken in relation to the contents of and attachments
to this e-mail is strictly prohibited and may be unlawful. If you have
received this e-mail in error, please notify the sender immediately and
permanently delete the original and any copy of this e-mail and any
printout. Thank You.
************************************************************************
More information about the sudo-users
mailing list