Kelly, On Tue, 22 Oct 2002 14:58:30 GMT Kelly Brown wrote:
> Hi guys, > > I'll admit right up front that I'm not very knowledgeable in regards to > Linux, so I hope I don't come off sounding TOO foolish. I do a lot of web > development, so I do know my way around a unix/linux environment somewhat. > I'm more used to working in a cgi environent with perl or php, so this stuff > is a tiny bit different for me. None of this sounds foolish to me. It sounds like you are already on the right track and just need a bit of help to fix the root cause of the problem. > Anyhow, what I want to do basically is use weblet to run the following line: > > echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose > > and alternately: > > echo "0" > /proc/sys/net/ipv4/ip_masq_udp_dloose > > I essentially want to allow someone on the local network to be able to > toggle loose UDP routing on and off at will through a web interface. ssh would be a more secure way to do this, and with a little work, could be made very easy for authorized users to use. (As simple as clicking on an icon that runs plink.exe and typing a password.) That said and my conscious clear :), you should be able to make weblet do this too. > I made a tiny little script to do this, but it doesn't work. It runs, but > the ip_masq_udp_dloose file never changes and I'm GUESSING it's because > weblet isn't allowed to touch it because it's owned by root. It works fine > if I run the script through the command prompt (logged in as root), just not > through the web interface. Sounds like a very good guess to me. If you wanted to verify, you could do something like this: homefw: -root- # pwd /var/sh-www/cgi-bin homefw: -root- # cat set_loose_udp_routing.wrap #!/bin/sh sh -x set_loose_udp_routing $@ 2>> /tmp/test.log where "set_loose_udp_routing" is the real script. I did some testing (using ip_nonlocal_bind since my test Bering box does not have ip_masq_udp_dloose) and this is what I found: homefw: -root- # tail -n 2 /tmp/test.log + echo 1 set_loose_udp_routing: cannot create /proc/sys/net/ipv4/ip_nonlocal_bind: permission denied homefw: -root- # ls -al /proc/sys/net/ipv4/ip_nonlocal_bind -rw-r--r-- 1 root wheel [..] /proc/sys/net/ipv4/ip_nonlocal_bind > How could I get around this? I think the most secure solution would be to write a minimal C program that sets ip_nonlocal_bind and run it setuid root. There was some discussion of this awhile back on leaf-user or leaf-devel surrounding Jon Clausen's "blinder" project, IIRC. Less secure would be to do the same thing with a setuid shell script. Probably the least secure would be to run weblet as root rather than sh-httpd as described at http://www.mail-archive.com/leaf-user@;lists.sourceforge.net/msg07465.html (That posting should get you close to the discussion of the setuid C program too.) > I tried using both chmod and chown on > ip_masq_udp_dloose to allow weblet access, but nothing happens. The > commands act as if they worked, but the permissions don't change. It seems > a bit odd to me. Not positive, but I think that's probably because it is part of the /proc pseudo filesystem. --Brad ------------------------------------------------------- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ad.doubleclick.net/clk;4699841;7576301;v?http://www.sun.com/javavote _______________________________________________ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
