Re: [users@httpd] Script behaving differently when run by Apache and when run from a shell by user www-data?

2024-01-23 Thread EML 




IMO suexec would be better suited to handle more sensitive operations 
such as unmounting.


CGI is not an interactive shell, as you discovered.

Calling a separate script with the suid bit might work too.


But I don't need an interactive shell: I need a way to run a script as 
user www-data, which is what CGI is for. I tested the script in an 
interactive shell because that's the easy way to run a script as user 
www-data.


What's interesting here is that CGI appears to be doing something more 
complex than simply forking a process. The script which is the problem 
has an EUID of 0, so why can't it unmount a filesystem? Have I just 
messed up (probably?) Or has Apache run me /without/ CAP_SYS_ADMIN? If 
so, how and why? Maybe this is unlikely, but if it happens, it should be 
documented. If this, or something similar, doesn't happen, then I know 
that the problem is my fault.

Re: [users@httpd] Script behaving differently when run by Apache and when run from a shell by user www-data?

2024-01-23 Thread Frank Gingras 
On Tue, Jan 23, 2024 at 2:12 PM EML  wrote:

>
> Let's take a step back - why are you unmounting from a cgi script?
>
> It's a one-time setup when a user configures a new system. Most of these
> users aren't shell-literate, so they configure by ticking boxes on a web
> page. The system is a VPS, so is actually a VM, which I hope isn't relevant.
>
> Anyway, when configuration completes, all the scripts are deleted and
> Apache runs 'normally'.
>

IMO suexec would be better suited to handle more sensitive operations such
as unmounting.

CGI is not an interactive shell, as you discovered.

Calling a separate script with the suid bit might work too.

Fwd: [users@httpd] Script behaving differently when run by Apache and when run from a shell by user www-data?

2024-01-23 Thread EML 



Let's take a step back - why are you unmounting from a cgi script?


It's a one-time setup when a user configures a new system. Most of these 
users aren't shell-literate, so they configure by ticking boxes on a web 
page. The system is a VPS, so is actually a VM, which I hope isn't relevant.


Anyway, when configuration completes, all the scripts are deleted and 
Apache runs 'normally'.

Re: [users@httpd] Script behaving differently when run by Apache and when run from a shell by user www-data?

2024-01-23 Thread Frank Gingras 
On Tue, Jan 23, 2024 at 2:02 PM EML  wrote:

> The CGI Howto page contains some basic information on how Apache actually
> runs a program, but is there any more detailed information anywhere?
>
> Specifically, I have a problem where a bash script runs as expected when
> run from an interactive shell by user www-data (this is Ubuntu). However,
> the script behaves differently when run via Apache from a web client. This
> is nothing to do with PATH or envvar differences: when run by Apache, an
> operation to unmount a disk appears to succeed, but actually doesn't
> unmount the disk. When run from the interactive shell, as the same user,
> the operation unmounts the disk.
>
> This is a basic Apache install on Ubuntu 22.04 - no suexec, no chroot,
> plain CGI, etc. I've been running scripts via Apache this way for years,
> but this is the first script which attempts to carry out disk operations.
> All these scripts appear in the sudoers file to allow Apache to carry out
> specific privileged operations.
>
> I asked this question 
> today on StackExchange (https://unix.stackexchange.com/q/767587/212513,
> if the link is scrubbed), with much more detail, but I think that was
> probably the wrong place to ask.
>
>  Thanks.
>

Let's take a step back - why are you unmounting from a cgi script?

[users@httpd] Script behaving differently when run by Apache and when run from a shell by user www-data?

2024-01-23 Thread EML 
The CGI Howto page contains some basic information on how Apache 
actually runs a program, but is there any more detailed information 
anywhere?


Specifically, I have a problem where a bash script runs as expected when 
run from an interactive shell by user www-data (this is Ubuntu). 
However, the script behaves differently when run via Apache from a web 
client. This is nothing to do with PATH or envvar differences: when run 
by Apache, an operation to unmount a disk appears to succeed, but 
actually doesn't unmount the disk. When run from the interactive shell, 
as the same user, the operation unmounts the disk.


This is a basic Apache install on Ubuntu 22.04 - no suexec, no chroot, 
plain CGI, etc. I've been running scripts via Apache this way for years, 
but this is the first script which attempts to carry out disk 
operations. All these scripts appear in the sudoers file to allow Apache 
to carry out specific privileged operations.


I asked this question  
today on StackExchange (https://unix.stackexchange.com/q/767587/212513, 
if the link is scrubbed), with much more detail, but I think that was 
probably the wrong place to ask.


 Thanks.

Re: [users@httpd] Secure websockets and proxying

2024-01-23 Thread Yann Ylavic 
On Tue, Jan 23, 2024 at 5:22 PM Yann Ylavic  wrote:
>
> On Tue, Jan 23, 2024 at 11:55 AM Erik Thuning  wrote:
> >
> > I have a tomcat application running that accepts websockets. In front of
> > this application I'm running apache as a reverse proxy. SSL is
> > configured in apache, and my tomcat knows nothing about SSL.
> >
> > In the usual web traffic case, everything works just as expected - the
> > SSL connection terminates in apache and the request is forwarded to
> > tomcat using plain http. However, this approach doesn't seem to work
> > when it comes to websockets - the upgrade requests return 403 with no
> > further elaboration in the log.
>
> You could set "LogLevel trace8" in the VirtualHost to get more/full 
> information.

Also httpd should log an error for a 403 it generates, can't the 403
originate from Tomcat for some reason?

>
>
> Regards;
> Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Secure websockets and proxying

2024-01-23 Thread Yann Ylavic 
On Tue, Jan 23, 2024 at 11:55 AM Erik Thuning  wrote:
>
> I have a tomcat application running that accepts websockets. In front of
> this application I'm running apache as a reverse proxy. SSL is
> configured in apache, and my tomcat knows nothing about SSL.
>
> In the usual web traffic case, everything works just as expected - the
> SSL connection terminates in apache and the request is forwarded to
> tomcat using plain http. However, this approach doesn't seem to work
> when it comes to websockets - the upgrade requests return 403 with no
> further elaboration in the log.

You could set "LogLevel trace8" in the VirtualHost to get more/full information.


Regards;
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Secure websockets and proxying

2024-01-23 Thread Erik Thuning 

Hi!

I have a tomcat application running that accepts websockets. In front of 
this application I'm running apache as a reverse proxy. SSL is 
configured in apache, and my tomcat knows nothing about SSL.


In the usual web traffic case, everything works just as expected - the 
SSL connection terminates in apache and the request is forwarded to 
tomcat using plain http. However, this approach doesn't seem to work 
when it comes to websockets - the upgrade requests return 403 with no 
further elaboration in the log.


This is the proxy part of my vhost config:

    ...
    ProxyPass "/george/ws/sender" 
"http://localhost:8080/george/ws/sender; upgrade=websocket
    ProxyPass "/george/ws/receiver" 
"http://localhost:8080/george/ws/receiver; upgrade=websocket



I have succeeded in getting things working if I configure SSL in tomcat 
as well:


    ...
    ProxyPass "/george/ws/sender" 
"https://localhost:8443/george/ws/sender; upgrade=websocket
    ProxyPass "/george/ws/receiver" 
"https://localhost:8443/george/ws/receiver; upgrade=websocket




Administrivia makes configuring SSL in tomcat undesirable, so my 
question is if it's possible to get websockets to behave similarly to 
SSL, with apache terminating the encryption layer and passing on an 
unsecured websocket internally? If it's possible, how?



Server version: Apache/2.4.57 (Debian)
Server built:   2023-04-13T03:26:51
Relevant documentation: 
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#wsupgrade



Regards,

Erik Thuning

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org