OS_process authentication

classic Classic list List threaded Threaded
33 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

Jussi Hirvi
Chmod still seems to be a hard one. I tried to trigger it directly, with no
success. Here's what I tried:
   Var: 'myProcess' = (OS_Process: '/bin/ls', (array:'-l','testfile'));
    Encode_break: $myProcess->Read;

   Var: 'myProcess' = (OS_Process: '/bin/chmod', (array:'777','testfile'));
    Encode_break: $myProcess->Read;

   Var: 'myProcess' = (OS_Process: '/bin/ls', (array:'-l','testfile'));
    Encode_break: $myProcess->Read;

The output in browser:
-rwxrwx--- 1 root root 0 Feb 27 15:09 testfile
-rwxrwx--- 1 root root 0 Feb 27 15:09 testfile

So ls works, but chmod silently fails.

- Jussi

27.2.2009 15:16 Viaduct Productions ([hidden email])
kirjoitteli:

> os_process can have multiple commands, so you can interact with a
> multi-command session.  It's tricky, and I had to test it through and
> through to make sure things were going on properly.  Perhaps you can
> get into su and try it that way.  I don't know, just speculating.
>
> On 27-Feb-09, at 8:13 AM, Jussi Hirvi wrote:
>
>> Ok, but it seems that ls is easy to trigger. I cannot trigger the
>> chmod
>> command at all. ls is not so much fun yet. :-)

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
[hidden email] * http://www.greenspot.fi



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

Jussi Hirvi
In reply to this post by Jussi Hirvi
Followup:

if I change my testfile (target of the operation) to be owned by lasso, then
chmod works, and the output is as expected:

    -rwxrwx--- 1 lasso lasso 0 Feb 27 15:09 testfile
    -rwxrwxrwx 1 lasso lasso 0 Feb 27 15:09 testfile

So this kind of proves that OS_process is run by the user "lasso".

What I don't understand is why OS_process cannot on my system manipulate
files with the group owner "apache" - even though I have made the "lasso"
user a member of the "apache" group.

- Jussi

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
[hidden email] * http://www.greenspot.fi



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

stevepiercy
In reply to this post by jasonhuck
On Friday, February 27, 2009, [hidden email] (Jason Huck) pronounced:

>I always found it a little confusing that [os_process] had the Lasso
>application folder as it's pwd instead of the web root from which it's
>called (since that's most often where you want to manipulate
>something). That's why I change it automatically right off the bat in
>the [shell] wrapper tag. I also find it a lot easier to just spawn a
>terminal than to interact directly with whatever process I'm using, so
>that I can directly transfer whatever works on the command line to the
>tag.
>
>http://tagswap.net/shell/

That is the missing piece to the montage issue!  There is some syntax within this ctag that invokes the command, plus the error message component helped me debug the command.  Brilliant!

I'll write it up.

--steve

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

stevepiercy
In reply to this post by Jussi Hirvi
On Friday, February 27, 2009, [hidden email] (Jussi Hirvi) pronounced:

>Followup:
>
>if I change my testfile (target of the operation) to be owned by lasso, then
>chmod works, and the output is as expected:
>
>    -rwxrwx--- 1 lasso lasso 0 Feb 27 15:09 testfile
>    -rwxrwxrwx 1 lasso lasso 0 Feb 27 15:09 testfile
>
>So this kind of proves that OS_process is run by the user "lasso".

Lasso and its tags run as the system user 'lasso'.

>What I don't understand is why OS_process cannot on my system manipulate
>files with the group owner "apache" - even though I have made the "lasso"
>user a member of the "apache" group.

If you're on 10.5, try changing the group on the file to 'staff'.  'lasso' is a member of the group 'staff' on 10.5.  Can't remember what it was on 10.4.

--steve

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

Viaduct Productions
In reply to this post by Jussi Hirvi
Just to move forward with that variable, use the write member tag.  
You can also use a WHILE to grab feedback:

inline(-username = $un, -password = $pw);
        var('goal ' = $myString);
        var('p1' = os_process('/bin/dingbat', array($goal)));
        $p1->detach;
        $p1->closeWrite;
        protect; while(true); $myFeedback += '<div class="trouble">' $p1-
 >readLine '</div>'; /while; /protect;
        $p1->close;
/inline;



On 27-Feb-09, at 8:41 AM, Jussi Hirvi wrote:

> Here's what I tried:
>   Var: 'myProcess' = (OS_Process: '/bin/ls', (array:'-l','testfile'));
>    Encode_break: $myProcess->Read;
>
>   Var: 'myProcess' = (OS_Process: '/bin/chmod',  
> (array:'777','testfile'));
>    Encode_break: $myProcess->Read;
>
>   Var: 'myProcess' = (OS_Process: '/bin/ls', (array:'-l','testfile'));
>    Encode_break: $myProcess->Read;



Rich in Toronto
...now go get on your bike



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

Jussi Hirvi
In reply to this post by stevepiercy
27.2.2009 17:05 Steve Piercy - Web Site Builder ([hidden email])
kirjoitteli:
>> So this kind of proves that OS_process is run by the user "lasso".
>
> Lasso and its tags run as the system user 'lasso'.

I know - and it says explicitely so on the Reference page about OS_process.

>> What I don't understand is why OS_process cannot on my system manipulate
>> files with the group owner "apache" - even though I have made the "lasso"
>> user a member of the "apache" group.
>
> If you're on 10.5, try changing the group on the file to 'staff'.  'lasso' is
> a member of the group 'staff' on 10.5.  Can't remember what it was on 10.4.

I'm on linux. In my system, "lasso" user is by default a member of the
"lasso" group. I joined "lasso" user to the "apache" group as well, to
simplify setting permissions for the www directories.

Now, since "lasso" user belongs to the "apache" group, I suppose Lasso
should be able to access anything Apache can.

Does chmod require write permissions to directories all along the file path?
Haven't tested... and man chmod doesn't seem to tell.

- Jussi

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
[hidden email] * http://www.greenspot.fi



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

stevepiercy
On Friday, February 27, 2009, [hidden email] (Jussi Hirvi) pronounced:

>>> What I don't understand is why OS_process cannot on my system manipulate
>>> files with the group owner "apache" - even though I have made the "lasso"
>>> user a member of the "apache" group.
>>
>> If you're on 10.5, try changing the group on the file to 'staff'.  'lasso' is
>> a member of the group 'staff' on 10.5.  Can't remember what it was on 10.4.
>
>I'm on linux. In my system, "lasso" user is by default a member of the
>"lasso" group. I joined "lasso" user to the "apache" group as well, to
>simplify setting permissions for the www directories.

From the Lasso Setup Guide for Red Hat Linux:

    Lasso User Note: The Lasso Professional Server installer creates
    a lasso (lowercase) user and group account in Red Hat Linux that
    is used to read, write, and execute files related to Lasso
    Professional Server. This user is installed automatically, and
    no configuration for this user is required. Do not attempt to
    configure or change the settings for this user as it will affect
    the functionality of Lasso Professional Server.

>Now, since "lasso" user belongs to the "apache" group, I suppose Lasso
>should be able to access anything Apache can.

No guarantees.

>Does chmod require write permissions to directories all along the file path?
>Haven't tested... and man chmod doesn't seem to tell.

chmod does not, Lasso does.  If the parent directory of a file has insufficient permissions, then the operation will fail.  You only need to worry about the parent directory permissions.  There's also Lasso Security settings, see my File Permissions guide, this is a recording...  *beep*

--stevebot

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

Anibal Escobar
In reply to this post by Jussi Hirvi
I've gotten the following to work without messing with messing with
permissions:

(OS_Process: '/bin/bash', (array: 'options', 'command line'));

The key is that you process the script through bash, not directly.  
This works on CentOS 4.6.

Anibal

On Feb 27, 2009, at 7:37 AM, Jussi Hirvi wrote:

> Ok, I got forward with this. I first tested with
>     Var: 'myProcess' = (OS_Process: '/bin/pwd');
>
> (pwd shows the current directory)
>
> ..and from the output I found out that the "current" dir is the Lasso
> Site,
> inside the Lasso\ Professional\ ... etc. etc. folder (why on earth
> such long
> names??).
>
> Then I made a new subfolder in there, called JussiScripts, and put my
> new
> script in there. I can now trigger it like this:
>
>     Var: 'myProcess' = (OS_Process: './JussiScripts/MyScript.sh');
>
> The problem is only that I cannot accomplish what I want - to correct
> (chmod) the privileges in the www root directory of this www site. If
> I try
> that, the www page (supposed to launch the script) hangs.
>
> Apparently the Lasso user does not have enough privileges for chmod.
>
> - Jussi
>
>
> 27.2.2009 13:56 Viaduct Productions ([hidden email])
> kirjoitteli:
>> No it's not about compilation.  It's about finding the right
>> os_process way of launching it, as opposed to just calling it.  I'm
>> sure someone will poke in here.
>>
>> Try /bin/bash.
>>
>>
>> On 27-Feb-09, at 6:47 AM, Jussi Hirvi wrote:
>>> I think I'm back to square one: how to trigger my own shell script
>>> with
>>> browser? Do I have to compile it to make it work?? I've never done
>>> that
>>> before.
>
> --
> Jussi Hirvi * Green Spot
> Topeliuksenkatu 15 C * 00250 Helsinki * Finland
> Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
> [hidden email] * http://www.greenspot.fi
>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

Anibal Escobar
Actually, I'd like to clarify this, it's:

(OS_Process: '/bin/bash', (array: '-c', '/path/to/script arguments'));

 From man bash:

When the -c option is present, then commands are read from string.  If  
there are arguments after the string, they are assigned to the
positional parameters, starting with $0.

Anibal

On Feb 27, 2009, at 3:03 PM, Anibal Escobar wrote:

> I've gotten the following to work without messing with messing with
> permissions:
>
> (OS_Process: '/bin/bash', (array: 'options', 'command line'));
>
> The key is that you process the script through bash, not directly.  
> This works on CentOS 4.6.
>
> Anibal
>
> On Feb 27, 2009, at 7:37 AM, Jussi Hirvi wrote:
>
>> Ok, I got forward with this. I first tested with
>>     Var: 'myProcess' = (OS_Process: '/bin/pwd');
>>
>> (pwd shows the current directory)
>>
>> ..and from the output I found out that the "current" dir is the Lasso
>> Site,
>> inside the Lasso\ Professional\ ... etc. etc. folder (why on earth
>> such long
>> names??).
>>
>> Then I made a new subfolder in there, called JussiScripts, and put my
>> new
>> script in there. I can now trigger it like this:
>>
>>     Var: 'myProcess' = (OS_Process: './JussiScripts/MyScript.sh');
>>
>> The problem is only that I cannot accomplish what I want - to correct
>> (chmod) the privileges in the www root directory of this www site. If
>> I try
>> that, the www page (supposed to launch the script) hangs.
>>
>> Apparently the Lasso user does not have enough privileges for chmod.
>>
>> - Jussi
>>
>>
>> 27.2.2009 13:56 Viaduct Productions ([hidden email])
>> kirjoitteli:
>>> No it's not about compilation.  It's about finding the right
>>> os_process way of launching it, as opposed to just calling it.  I'm
>>> sure someone will poke in here.
>>>
>>> Try /bin/bash.
>>>
>>>
>>> On 27-Feb-09, at 6:47 AM, Jussi Hirvi wrote:
>>>> I think I'm back to square one: how to trigger my own shell script
>>>> with
>>>> browser? Do I have to compile it to make it work?? I've never done
>>>> that
>>>> before.
>>
>> --
>> Jussi Hirvi * Green Spot
>> Topeliuksenkatu 15 C * 00250 Helsinki * Finland
>> Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
>> [hidden email] * http://www.greenspot.fi
>>
>>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

Jussi Hirvi
In reply to this post by stevepiercy
27.2.2009 18:02 Steve Piercy - Web Site Builder ([hidden email])
kirjoitteli:

> From the Lasso Setup Guide for Red Hat Linux:
>
> Lasso User Note: The Lasso Professional Server installer creates
> a lasso (lowercase) user and group account in Red Hat Linux that
> is used to read, write, and execute files related to Lasso
> Professional Server. This user is installed automatically, and
> no configuration for this user is required. Do not attempt to
> configure or change the settings for this user as it will affect
> the functionality of Lasso Professional Server.
>
>> Now, since "lasso" user belongs to the "apache" group, I suppose Lasso
>> should be able to access anything Apache can.
>
> No guarantees.

If you are hinting at joining "lasso" user to "apache" group would somehow
be illegal, I don't agree... I haven't "configured or changed" the original
setting, I have only added to it. :-) And you recommend this yourself in
your guide that you mentioned:

http://www.stevepiercy.com/lasso_stuff/file_perms.lasso

...which says:

> To fix this dilemma, simply add lasso to the apache group, like so:

Though to make use of that, you should then also advice to set the
permissions for example like this:
    chown myuser:apache
    chmod 770

>> Does chmod require write permissions to directories all along the file path?
>> Haven't tested... and man chmod doesn't seem to tell.
>
> chmod does not, Lasso does.  If the parent directory of a file has
> insufficient permissions, then the operation will fail.  You only need to
> worry about the parent directory permissions.  There's also Lasso Security
> settings, see my File Permissions guide, this is a recording...  *beep*

Ok. The immediately parenting directory is now 777, which certainly is
enough.
And the files themselves are like

-rwxrwx---  1 myuser apache     0 Feb 27 14:39 test.lasso

Still lasso doesn't seem get in to do the chmod. BUT if I set the
permissions as:

-rwxrwx---  1 lasso apache     0 Feb 27 14:39 test.lasso

Then it works. However, this is not acceptable, since "myuser" needs to
sftp. And apache obviously also needs access.

I don't really see a solution to this...

- Jussi

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
[hidden email] * http://www.greenspot.fi



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

Jussi Hirvi
In reply to this post by Anibal Escobar
27.2.2009 22:14 Anibal Escobar ([hidden email]) kirjoitteli:
> Actually, I'd like to clarify this, it's:
>
> (OS_Process: '/bin/bash', (array: '-c', '/path/to/script arguments'));

In my case that works just the same as

    Var: 'myProcess' = (OS_Process: './path/to/script');

...I don't have any arguments, so I don't know about them.

I still have the problem with permissions, though. In my previous message I
wrote:

> I don't really see a solution to this...

But actually, one elegant solution would be to set the setuid bit on my
script, so as to enable the "lasso" user to run the script as if it were the
owner of the script (root, in this case).

    http://en.wikipedia.org/wiki/Setuid

- Jussi

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
[hidden email] * http://www.greenspot.fi



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

stevepiercy
In reply to this post by Jussi Hirvi
On Saturday, February 28, 2009, [hidden email] (Jussi Hirvi) pronounced:

>27.2.2009 18:02 Steve Piercy - Web Site Builder ([hidden email])
>kirjoitteli:
>>> Now, since "lasso" user belongs to the "apache" group, I suppose Lasso
>>> should be able to access anything Apache can.
>>
>> No guarantees.
>
>If you are hinting at joining "lasso" user to "apache" group would somehow
>be illegal, I don't agree... I haven't "configured or changed" the original
>setting, I have only added to it. :-) And you recommend this yourself in
>your guide that you mentioned:
>
>http://www.stevepiercy.com/lasso_stuff/file_perms.lasso
>
>....which says:
>
>> To fix this dilemma, simply add lasso to the apache group, like so:

That is within the context of MacOS X, not necessarily Linux.  I don't have any idea of the ACLs on Linux, or your system in particular.

I do know that on Linux, adding lasso to the same group as the mysuer account, and adding the mysuer user to the lasso group, works for me.  Nothing in there about Apache.

-rwxrwx---  1 myuser myuser     0 Feb 27 14:39 test.lasso

--steve

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: OS_process authentication

Jussi Hirvi
>> And you recommend this yourself in
>> your guide that you mentioned:
>>
>> http://www.stevepiercy.com/lasso_stuff/file_perms.lasso
>>
>> ....which says:
>>
>>> To fix this dilemma, simply add lasso to the apache group, like so:
>
On Feb 28, 2009, at 23:56:43, Steve Piercy - Web Site Builder wrote:
> That is within the context of MacOS X, not necessarily Linux.  I  
> don't have any idea of the ACLs on Linux, or your system in  
> particular.
>
I don't think ACL:s have anything to do with this.

        http://en.wikipedia.org/wiki/Access_control_list

I think permission things are much the same both in OS X and Linux,  
only the names may differ a little. (Like on my OS X 10.2, the apache  
user group is "www".)

> I do know that on Linux, adding lasso to the same group as the  
> mysuer account, and adding the mysuer user to the lasso group,  
> works for me.  Nothing in there about Apache.
>
> -rwxrwx---  1 myuser myuser     0 Feb 27 14:39 test.lasso

So you add "lasso" to group "myuser", and "myuser" to group "lasso".  
You could probably do with only one of those two operations.

I didn't realize that even
> -rwxrwx---  1 myuser lasso     0 Feb 27 14:39 test.lasso
>

works, if the site has a Lasso handler (in the Apache conf). I always  
thought Apache needs access too. Good to know.

- Jussi


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


12