英文:
Linux make a new user and allow to access specific process and specific working directory
问题
我正在尝试制作一个Web C++编译器。现在我陷入了网站安全问题。我可以运行system("whoami");和其他恶意命令在服务器上运行。我正在寻找一种避免这种情况的方法。
- 网站将用户编写的代码发送到PHP后端服务器
- PHP服务器创建main.cpp文件并将代码写入其中。
- PHP运行shell_exec来将main.cpp编译为.exe:
sudo g++ main.cpp -o compiled.exe
通过修改sudoers文件实现了这一点,添加了:www-data ALL=(ALL) NOPASSWD: ALL
是的,它只能与sudo命令一起使用,因为PHP用户无法访问g++?
如果我不使用sudo运行命令,我会得到这个错误:
> g++: fatal error: cannot execute 'cc1plus': execvp: No such file or directory
compilation terminated.
我尝试使用shell_exec("whoami");
检查它,它返回给我www-data。如何允许www-data访问g++进程而无需sudo?
最好在不使用sudo命令的情况下解决这个问题。接下来的问题,我可以用C++编写代码,打印出服务器的所有目录/文件。我想我需要创建一个新用户,只允许该用户访问特定的主目录,并允许仅运行g++?我读到可以使用chroot来实现,但我对服务器和配置一窍不通。
我在网上找到了关于允许特定用户仅访问X文件夹的信息,但没有找到如何允许使用g++的方法。提前感谢您的任何帮助,对我的糟糕英语感到抱歉
想法:
- 用户在网站上注册
- PHP在系统(Linux)中创建coder-1(coder-id)用户
- PHP创建/var/www/site/builds/1目录。
- 需要允许coder-1用户只能访问/builds/1目录和**g++**进程,以编译将保存到此目录中的代码。
英文:
I am trying to make a web C++ compiler. Now I am stuck into a security issue of my website. I can run system("whoami"); and other malicious commands from my website to be runned on server. I am looking for a way to avoid that.
- Website sends user written code to PHP back end server
- PHP Server creates main.cpp file and writes code into.
- PHP runs shell_exec to compile main.cpp into .exe:
sudo g++ main.cpp -o compiled.exe
It was achieved by modifying sudoers file by adding: www-data ALL=(ALL) NOPASSWD: ALL
Yeah, it works only with sudo command, because PHP-user don't have access to g++?
If I run command without sudo, I got this error:
> g++: fatal error: cannot execute 'cc1plus': execvp: No such file or directory
compilation terminated.
I tried to check it with shell_exec("whoami");
, and ir returns me www-data. How can I allow www-data to access g++ process without a sudo?
Would be nice to solve that without using sudo command. And next problem, I can write code in C++ which prints all directories/files of my server. I think I need to make a new user and allow to access only specific home directory for that user and allow to run only g++? I readed it can be done with chroot, but I am green with servers and configurations.
I found info on the net how to allow specific user to access only X folder, but not found how to allow to use g++ also. Thanks in advance for any help and sorry for my bad English
Idea:
- User registers on website
- PHP creates coder-1 (coder-id) user in system (linux)
- PHP creates /var/www/site/builds/1 directory.
- Need to allow coder-1 user to access only /builds/1 directory and g++ process to compile code which will be saved into this directory.
答案1
得分: 1
-
创建一个名为gcc_compile的新组(任何你想要的名字)
-
检查g++路径
which g++
输出:/usr/bin/g++
- 检查权限:
ls -ld /usr/bin/g++
输出:-rwxr-xr-x 4 root root 772704 Sep 30 2020 /usr/bin/g++
-
为gcc_compile添加权限
chown root:gcc_compile /usr/bin/g++
-
为路径添加权限
chown php:gcc_compile /var/www/site/builds/1
-
将PHP用户添加到gcc_compile组中。
希望这可以解决问题。
英文:
Here are my suggestions
1.Create a new group called gcc_compile (whatever name you want)
2.Check the g++ path which g++
Output: /usr/bin/g++
3.Check permission: ls -ld /usr/bin/g++
Output: -rwxr-xr-x 4 root root 772704 Sep 30 2020 /usr/bin/g++
-
Add permission for gcc_compile
chown root:gcc_compile /usr/bin/g++
-
Add permission to path
chown php:gcc_compile /var/www/site/builds/1
-
Add PHP users into gcc_compile group.
I Hope this works.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论