Page 1 of 1

running exec

Posted: Mon Jan 16, 2017 9:50 am
by faris
I've recently set up a particular script and associated bits and bobs and eventually got it to work.

Then it hit me, hard, that it should NOT have worked. Or at least I don't think it should have.

I have a site running with php 5.6 (php-fpm mode)

In /httpdocs there's a file we'll call "file.fcgi" which has standard perms and owner (ftpuser) and contains :

Code: Select all

#!/bin/sh
exec /opt/directory/somefile_cgi
/opt/directory/somefile_cgi is actually a perl script and is world executable.

And as I say, it works. Accessing domain.tld/file.fcgi causes the perl script to run.

How is this possible? I realise the somefile_cgi is world executable. But how is ftpuser able to run "exec"?
Shell access is disabled for this user. I've checked /etc/passwd and the shell is /bin/false for the particular ftpuser.

Re: running exec

Posted: Tue Jan 17, 2017 9:27 am
by prupert
How is this possible? I realise the somefile_cgi is world executable. But how is ftpuser able to run "exec"?
Shell access is disabled for this user. I've checked /etc/passwd and the shell is /bin/false for the particular ftpuser.
This only prevents the user from being able to login to a shell. It does not forbid programs from running with the privileges of that user, if your system starts them.

You have configured your web server to start a program ("file.fcgi"), and it will run that program. This is what happens. If you want to prevent that from happening, just don't configure your web server to run this program! ;-)

Re: running exec

Posted: Tue Jan 17, 2017 10:17 pm
by faris
Are you saying disallow fcgi file processing?

I'd have to remove /etc/httpd/conf.d/mod_fcgid.conf.
Won't that break .... lots of things?