Linux创建新用户并允许访问特定进程和特定工作目录。

huangapple go评论64阅读模式
英文:

Linux make a new user and allow to access specific process and specific working directory

问题

我正在尝试制作一个Web C++编译器。现在我陷入了网站安全问题。我可以运行system("whoami");和其他恶意命令在服务器上运行。我正在寻找一种避免这种情况的方法。

  1. 网站将用户编写的代码发送到PHP后端服务器
  2. PHP服务器创建main.cpp文件并将代码写入其中。
  3. PHP运行shell_exec来将main.cpp编译为.exe:

sudo g++ main.cpp -o compiled.exe

通过修改sudoers文件实现了这一点,添加了:www-data ALL=(ALL) NOPASSWD: ALL

是的,它只能与sudo命令一起使用,因为PHP用户无法访问g++?

如果我不使用sudo运行命令,我会得到这个错误:

> g++: fatal error: cannot execute 'cc1plus': execvp: No such file or directory
compilation terminated.

我尝试使用shell_exec("whoami");检查它,它返回给我www-data。如何允许www-data访问g++进程而无需sudo?

最好在不使用sudo命令的情况下解决这个问题。接下来的问题,我可以用C++编写代码,打印出服务器的所有目录/文件。我想我需要创建一个新用户,只允许该用户访问特定的主目录,并允许仅运行g++?我读到可以使用chroot来实现,但我对服务器和配置一窍不通。

我在网上找到了关于允许特定用户仅访问X文件夹的信息,但没有找到如何允许使用g++的方法。提前感谢您的任何帮助,对我的糟糕英语感到抱歉 Linux创建新用户并允许访问特定进程和特定工作目录。

想法:

  1. 用户在网站上注册
  2. PHP在系统(Linux)中创建coder-1(coder-id)用户
  3. PHP创建/var/www/site/builds/1目录。
  4. 需要允许coder-1用户只能访问/builds/1目录和**g++**进程,以编译将保存到此目录中的代码。
英文:

I am trying to make a web C++ compiler. Now I am stuck into a security issue of my website. I can run system("whoami"); and other malicious commands from my website to be runned on server. I am looking for a way to avoid that.

  1. Website sends user written code to PHP back end server
  2. PHP Server creates main.cpp file and writes code into.
  3. PHP runs shell_exec to compile main.cpp into .exe:

sudo g++ main.cpp -o compiled.exe

It was achieved by modifying sudoers file by adding: www-data ALL=(ALL) NOPASSWD: ALL

Yeah, it works only with sudo command, because PHP-user don't have access to g++?

If I run command without sudo, I got this error:

> g++: fatal error: cannot execute 'cc1plus': execvp: No such file or directory
compilation terminated.

I tried to check it with shell_exec("whoami");, and ir returns me www-data. How can I allow www-data to access g++ process without a sudo?

Would be nice to solve that without using sudo command. And next problem, I can write code in C++ which prints all directories/files of my server. I think I need to make a new user and allow to access only specific home directory for that user and allow to run only g++? I readed it can be done with chroot, but I am green with servers and configurations.

I found info on the net how to allow specific user to access only X folder, but not found how to allow to use g++ also. Thanks in advance for any help and sorry for my bad English Linux创建新用户并允许访问特定进程和特定工作目录。

Idea:

  1. User registers on website
  2. PHP creates coder-1 (coder-id) user in system (linux)
  3. PHP creates /var/www/site/builds/1 directory.
  4. Need to allow coder-1 user to access only /builds/1 directory and g++ process to compile code which will be saved into this directory.

答案1

得分: 1

  1. 创建一个名为gcc_compile的新组(任何你想要的名字)

  2. 检查g++路径 which g++

输出:/usr/bin/g++

  1. 检查权限:ls -ld /usr/bin/g++

输出:-rwxr-xr-x 4 root root 772704 Sep 30 2020 /usr/bin/g++

  1. 为gcc_compile添加权限
    chown root:gcc_compile /usr/bin/g++

  2. 为路径添加权限 chown php:gcc_compile /var/www/site/builds/1

  3. 将PHP用户添加到gcc_compile组中。

希望这可以解决问题。

英文:

Here are my suggestions

1.Create a new group called gcc_compile (whatever name you want)

2.Check the g++ path which g++

Output: /usr/bin/g++

3.Check permission: ls -ld /usr/bin/g++

Output: -rwxr-xr-x 4 root root 772704 Sep 30 2020 /usr/bin/g++

  1. Add permission for gcc_compile
    chown root:gcc_compile /usr/bin/g++

  2. Add permission to path chown php:gcc_compile /var/www/site/builds/1

  3. Add PHP users into gcc_compile group.

I Hope this works.

huangapple
  • 本文由 发表于 2023年4月19日 16:42:42
  • 转载请务必保留本文链接:https://go.coder-hub.com/76052443.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定