How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

Okupandolared
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I like received variables POST and send to KSH script.

But it seems that in OpenBSD 5.6 and php-fpm.

exec() and exec_shell() not working.

Could anyone help me?

This link explain in detail what I've tried.

http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec

thanks
iQIcBAEBCAAGBQJVa8TzAAoJELfLKx8XGU93fScP/jd9DDZCR7KegqRfZfnlxgb4
+FK/LckN8ymwzLVqRHtDQHSMQiqDCE/jRRhV1WI8HjWW6bUSIwuteBxGG40BMErZ
F9q2b6TKwSqqBl/tPnRbNUIrRL/BoWh80yF9aUPkcC57x2LQbV/gxf9gYq1wq7//
KlSgvhNiX6UMYWQGmfYjs70kM/RSgk/5dBfTQ4T3lCr1iv54sjg83vGlagod39SD
hWdBPqmvmbG1TpH/YFvyeyLgUy7WyefT/hrLD1Ykb0XiHXdCUphGNprjRaw9K9xI
hNwmzgpVd/RpZ8SPme8xFYEhA0qFDOQbhKWEfNSnF4DJS6SoxUyS+oRPmmusjyHA
TPKNi+nzEWjV4S4bqNEG3Y84iT+vyhRdsVBZfhRDpFIYbLow4C2Rm7pEjAdF5Iou
2wRiOhiLu3eBtQ1Jz73IaAT8BHs/t7vPZ33wjHv0qY0VV0HShsXj2ryzjkNNjmzg
UiOlzVaHvvahfWAo84f5a/3baWzcNuTZyfMEzO+URdgppNvbOqYtXBKjW36a1CDO
4vpRNLA5eCl+BGTUwD/da/5rkboPXy7Ay65Zd2pe8HvvaHH+04Qfo87EUK50pszB
YBX5ZajnbkYK7X3fSWTrHVYMv6Qq5y8T7T7kqs/L5b7tPc45q26MPAS5MNFjVuzz
PL/yjnHDmXgMIFdeZBZU
=ZU9V
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

Zé Loff-2
On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I like received variables POST and send to KSH script.
>
> But it seems that in OpenBSD 5.6 and php-fpm.
>
> exec() and exec_shell() not working.
>
> Could anyone help me?
>
> This link explain in detail what I've tried.
>
> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec
>
> thanks

If the server is chrooted at "/var/www" then "/usr/bin/whoami" (from the
server's point of view) actually means "/var/www/usr/bin/whoami" (from
your point of view). Does that file exist?

--

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

kanzer
does not exist,

so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami?

that try "ls" and "/bin/ls" and "/var/www/bin/ls"

and it does not work,
"/bin/ls" exist
"/var/www/bin/ls" exist

thanks

On 05/31/15 19:43, Zé Loff wrote:

> On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> I like received variables POST and send to KSH script.
>>
>> But it seems that in OpenBSD 5.6 and php-fpm.
>>
>> exec() and exec_shell() not working.
>>
>> Could anyone help me?
>>
>> This link explain in detail what I've tried.
>>
>> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec
>>
>> thanks
>
> If the server is chrooted at "/var/www" then "/usr/bin/whoami" (from the
> server's point of view) actually means "/var/www/usr/bin/whoami" (from
> your point of view). Does that file exist?

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

dan mclaughlin
In reply to this post by Okupandolared
On Sun, 31 May 2015 22:20:17 -0500 Okupandolared <[hidden email]> wrote:

> does not exist,
>
> so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami?
>
> that try "ls" and "/bin/ls" and "/var/www/bin/ls"
>
> and it does not work,
> "/bin/ls" exist
> "/var/www/bin/ls" exist
>
> thanks
>
> On 05/31/15 19:43, Zé Loff wrote:
> > On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA256
> >>
> >> I like received variables POST and send to KSH script.
> >>
> >> But it seems that in OpenBSD 5.6 and php-fpm.
> >>
> >> exec() and exec_shell() not working.
> >>
> >> Could anyone help me?
> >>
> >> This link explain in detail what I've tried.
> >>
> >> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec
> >>
> >> thanks
> >
> > If the server is chrooted at "/var/www" then "/usr/bin/whoami" (from the
> > server's point of view) actually means "/var/www/usr/bin/whoami" (from
> > your point of view). Does that file exist?
>

have you tried to copy /bin/sh to /var/www/bin/sh?

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

Josh Grosse
On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote:

> On Sun, 31 May 2015 22:20:17 -0500 Okupandolared <[hidden email]> wrote:
> > does not exist,
> >
> > so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami?
> >
> > that try "ls" and "/bin/ls" and "/var/www/bin/ls"
> >
> > and it does not work,
> > "/bin/ls" exist
> > "/var/www/bin/ls" exist
> >
> > thanks
> >
> > On 05/31/15 19:43, Zi Loff wrote:
> > > On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:
> > >> -----BEGIN PGP SIGNED MESSAGE-----
> > >> Hash: SHA256
> > >>
> > >> I like received variables POST and send to KSH script.
> > >>
> > >> But it seems that in OpenBSD 5.6 and php-fpm.
> > >>
> > >> exec() and exec_shell() not working.
> > >>
> > >> Could anyone help me?
> > >>
> > >> This link explain in detail what I've tried.
> > >>
> > >> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec
> > >>
> > >> thanks
> > >
> > > If the server is chrooted at "/var/www" then "/usr/bin/whoami" (from the
> > > server's point of view) actually means "/var/www/usr/bin/whoami" (from
> > > your point of view). Does that file exist?
> >
>
> have you tried to copy /bin/sh to /var/www/bin/sh?
 
Also, in a chrooted filesystem, every dynamically linked executable needs access
 to ld.so and its shared libraries.  Which means /var/www/usr/lib and
/var/www/usr/libexec will need files populated -- every binary file should be
checked wiht ldd(1) to ensure required libraries are made available.
shared libraries.  Each program should

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

Josh Grosse
Corrected for typos.  What I'd just Emailed was without any coffee...

On Mon, Jun 01, 2015 at 06:05:28AM -0400, Josh Grosse wrote:

> Also, in a chrooted filesystem, every dynamically linked executable needs access
>  to ld.so and its shared libraries.  Which means /var/www/usr/lib and
> /var/www/usr/libexec will need files populated -- every binary file should be
> checked with ldd(1) to ensure required libraries are made available.

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

dan mclaughlin
In reply to this post by Okupandolared
On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse <[hidden email]> wrote:

> On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote:
> > On Sun, 31 May 2015 22:20:17 -0500 Okupandolared <[hidden email]> wrote:
> > > does not exist,
> > >
> > > so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami?
> > >
> > > that try "ls" and "/bin/ls" and "/var/www/bin/ls"
> > >
> > > and it does not work,
> > > "/bin/ls" exist
> > > "/var/www/bin/ls" exist
> > >
> > > thanks
> > >
> > > On 05/31/15 19:43, Zi Loff wrote:
> > > > On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:
> > > >> -----BEGIN PGP SIGNED MESSAGE-----
> > > >> Hash: SHA256
> > > >>
> > > >> I like received variables POST and send to KSH script.
> > > >>
> > > >> But it seems that in OpenBSD 5.6 and php-fpm.
> > > >>
> > > >> exec() and exec_shell() not working.
> > > >>
> > > >> Could anyone help me?
> > > >>
> > > >> This link explain in detail what I've tried.
> > > >>
> > > >> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shell-exec
> > > >>
> > > >> thanks
> > > >
> > > > If the server is chrooted at "/var/www" then "/usr/bin/whoami" (from the
> > > > server's point of view) actually means "/var/www/usr/bin/whoami" (from
> > > > your point of view). Does that file exist?
> > >
> >
> > have you tried to copy /bin/sh to /var/www/bin/sh?
>  
> Also, in a chrooted filesystem, every dynamically linked executable needs access
>  to ld.so and its shared libraries.  Which means /var/www/usr/lib and
> /var/www/usr/libexec will need files populated -- every binary file should be
> checked wiht ldd(1) to ensure required libraries are made available.
> shared libraries.  Each program should

that reminds me, i did a write up on chrooting programs here:
https://marc.info/?l=openbsd-misc&m=142676615612510&w=2

although it got into more, the basics of setting up a chroot jail are there.

i also have a script that adds a binary and its dependencies automatically.
i'll have to post it later, since i've actually been meaning to recently.
just have to make a few adjustments for portability.

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

Gareth Nelson
Everyone is missing the bigger picture here:

Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
and things should be redesigned so that it's not needed.

---
“Lanie, I’m going to print more printers. Lots more printers. One for
everyone. That’s worth going to jail for. That’s worth anything.” -
Printcrime by Cory Doctrow

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

On Mon, Jun 1, 2015 at 1:47 PM, dan mclaughlin <[hidden email]>
wrote:

> On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse <[hidden email]>
> wrote:
> > On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote:
> > > On Sun, 31 May 2015 22:20:17 -0500 Okupandolared <[hidden email]>
> wrote:
> > > > does not exist,
> > > >
> > > > so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami?
> > > >
> > > > that try "ls" and "/bin/ls" and "/var/www/bin/ls"
> > > >
> > > > and it does not work,
> > > > "/bin/ls" exist
> > > > "/var/www/bin/ls" exist
> > > >
> > > > thanks
> > > >
> > > > On 05/31/15 19:43, Zi Loff wrote:
> > > > > On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:
> > > > >> -----BEGIN PGP SIGNED MESSAGE-----
> > > > >> Hash: SHA256
> > > > >>
> > > > >> I like received variables POST and send to KSH script.
> > > > >>
> > > > >> But it seems that in OpenBSD 5.6 and php-fpm.
> > > > >>
> > > > >> exec() and exec_shell() not working.
> > > > >>
> > > > >> Could anyone help me?
> > > > >>
> > > > >> This link explain in detail what I've tried.
> > > > >>
> > > > >>
>
http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shel
l-exec

> > > > >>
> > > > >> thanks
> > > > >
> > > > > If the server is chrooted at "/var/www" then "/usr/bin/whoami"
> (from the
> > > > > server's point of view) actually means "/var/www/usr/bin/whoami"
> (from
> > > > > your point of view). Does that file exist?
> > > >
> > >
> > > have you tried to copy /bin/sh to /var/www/bin/sh?
> >
> > Also, in a chrooted filesystem, every dynamically linked executable
> needs access
> >  to ld.so and its shared libraries.  Which means /var/www/usr/lib and
> > /var/www/usr/libexec will need files populated -- every binary file
> should be
> > checked wiht ldd(1) to ensure required libraries are made available.
> > shared libraries.  Each program should
>
> that reminds me, i did a write up on chrooting programs here:
> https://marc.info/?l=openbsd-misc&m=142676615612510&w=2
>
> although it got into more, the basics of setting up a chroot jail are
> there.
>
> i also have a script that adds a binary and its dependencies automatically.
> i'll have to post it later, since i've actually been meaning to recently.
> just have to make a few adjustments for portability.

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

kanzer
Hi,

I have an web form.

I need send of webform to script bash

webform.html --> PHP proces --> create.sh

create.sh
#!/bin/ksh
# Create user

echo "hi!! your pass $1"
crypted="$(echo -n "$1" | smtpctl encrypt )"
maildir="$3/$2/"
echo -e "$2@$3" >> recipients
echo -e "$2@$3\t$crypted" >> credentials
echo "ejabberdctl register $2 $3 $1"
echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;

example php
<?php
function antiyec($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}
$user = antiyec($_POST['user']);
$frase1 = antiyec($_POST['pass']);
$domain = antiyec($_POST['dom']);

$out = shell_exec('ksh create.sh $frase1 $user $domain');
echo "<pre>$out</pre>";
?>


On 06/01/15 08:50, Gareth Nelson wrote:

> Everyone is missing the bigger picture here:
>
> Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
> and things should be redesigned so that it's not needed.
>
> ---
> “Lanie, I’m going to print more printers. Lots more printers. One for
> everyone. That’s worth going to jail for. That’s worth anything.� -
> Printcrime by Cory Doctrow
>
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html
>
> On Mon, Jun 1, 2015 at 1:47 PM, dan mclaughlin <[hidden email]>
> wrote:
>
>> On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse <[hidden email]>
>> wrote:
>>> On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote:
>>>> On Sun, 31 May 2015 22:20:17 -0500 Okupandolared <[hidden email]>
>> wrote:
>>>>> does not exist,
>>>>>
>>>>> so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami?
>>>>>
>>>>> that try "ls" and "/bin/ls" and "/var/www/bin/ls"
>>>>>
>>>>> and it does not work,
>>>>> "/bin/ls" exist
>>>>> "/var/www/bin/ls" exist
>>>>>
>>>>> thanks
>>>>>
>>>>> On 05/31/15 19:43, Zi Loff wrote:
>>>>>> On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA256
>>>>>>>
>>>>>>> I like received variables POST and send to KSH script.
>>>>>>>
>>>>>>> But it seems that in OpenBSD 5.6 and php-fpm.
>>>>>>>
>>>>>>> exec() and exec_shell() not working.
>>>>>>>
>>>>>>> Could anyone help me?
>>>>>>>
>>>>>>> This link explain in detail what I've tried.
>>>>>>>
>>>>>>>
>>
> http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shel
> l-exec
>>>>>>>
>>>>>>> thanks
>>>>>>
>>>>>> If the server is chrooted at "/var/www" then "/usr/bin/whoami"
>> (from the
>>>>>> server's point of view) actually means "/var/www/usr/bin/whoami"
>> (from
>>>>>> your point of view). Does that file exist?
>>>>>
>>>>
>>>> have you tried to copy /bin/sh to /var/www/bin/sh?
>>>
>>> Also, in a chrooted filesystem, every dynamically linked executable
>> needs access
>>>  to ld.so and its shared libraries.  Which means /var/www/usr/lib and
>>> /var/www/usr/libexec will need files populated -- every binary file
>> should be
>>> checked wiht ldd(1) to ensure required libraries are made available.
>>> shared libraries.  Each program should
>>
>> that reminds me, i did a write up on chrooting programs here:
>> https://marc.info/?l=openbsd-misc&m=142676615612510&w=2
>>
>> although it got into more, the basics of setting up a chroot jail are
>> there.
>>
>> i also have a script that adds a binary and its dependencies automatically.
>> i'll have to post it later, since i've actually been meaning to recently.
>> just have to make a few adjustments for portability.

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

Jiri B-2
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:

> Hi,
>
> I have an web form.
>
> I need send of webform to script bash
>
> webform.html --> PHP proces --> create.sh
>
> create.sh
> #!/bin/ksh
> # Create user
>
> echo "hi!! your pass $1"
> crypted="$(echo -n "$1" | smtpctl encrypt )"
> maildir="$3/$2/"
> echo -e "$2@$3" >> recipients
> echo -e "$2@$3\t$crypted" >> credentials
> echo "ejabberdctl register $2 $3 $1"
> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;

Hoho, it won't run in chroot, smtpd doesn't have socket
in chroot, same for ejabberctl.

You need to have some lightweight communication
"protocol" between chroot and an app outside which would
sanitize input and do the work.

j.

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

Florian Obser
In reply to this post by kanzer
On 01/06/15 18:49, Okupandolared wrote:

> Hi,
>
> I have an web form.
>
> I need send of webform to script bash
>
> webform.html --> PHP proces --> create.sh
>
> create.sh
> #!/bin/ksh
> # Create user
>
> echo "hi!! your pass $1"
> crypted="$(echo -n "$1" | smtpctl encrypt )"
> maildir="$3/$2/"
> echo -e "$2@$3" >> recipients
> echo -e "$2@$3\t$crypted" >> credentials
> echo "ejabberdctl register $2 $3 $1"
> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
>
> example php
> <?php
> function antiyec($data) {
>   $data = trim($data);
>   $data = stripslashes($data);
>   $data = htmlspecialchars($data);
>   return $data;
> }
> $user = antiyec($_POST['user']);
> $frase1 = antiyec($_POST['pass']);
> $domain = antiyec($_POST['dom']);
>
> $out = shell_exec('ksh create.sh $frase1 $user $domain');
> echo "<pre>$out</pre>";
> ?>
>

Can't tell if trolling or just stupid.

>
> On 06/01/15 08:50, Gareth Nelson wrote:
>> Everyone is missing the bigger picture here:
>>
>> Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
>> and things should be redesigned so that it's not needed.

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

Gareth Nelson
In reply to this post by Jiri B-2
Why on earth are you using the shell to insert into MySQL?

I would redesign this whole setup under the guidance of someone more
experienced to be honest, there's MANY mistakes you're making here, and
thus likely other mistakes

---
“Lanie, I’m going to print more printers. Lots more printers. One for
everyone. That’s worth going to jail for. That’s worth anything.” -
Printcrime by Cory Doctrow

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

On Mon, Jun 1, 2015 at 4:05 PM, Jiri B <[hidden email]> wrote:

> On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
> > Hi,
> >
> > I have an web form.
> >
> > I need send of webform to script bash
> >
> > webform.html --> PHP proces --> create.sh
> >
> > create.sh
> > #!/bin/ksh
> > # Create user
> >
> > echo "hi!! your pass $1"
> > crypted="$(echo -n "$1" | smtpctl encrypt )"
> > maildir="$3/$2/"
> > echo -e "$2@$3" >> recipients
> > echo -e "$2@$3\t$crypted" >> credentials
> > echo "ejabberdctl register $2 $3 $1"
> > echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> > ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
>
> Hoho, it won't run in chroot, smtpd doesn't have socket
> in chroot, same for ejabberctl.
>
> You need to have some lightweight communication
> "protocol" between chroot and an app outside which would
> sanitize input and do the work.
>
> j.

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

kanzer
Really you could use php to insert into mysql,

but as I need to run ejabberdctl and smtpdctl.

I thought it would do everything from bash

I have no idea how it could call smtpctl from php, maybe you go look at
python.

On 06/01/15 10:09, Gareth Nelson wrote:

> Why on earth are you using the shell to insert into MySQL?
>
> I would redesign this whole setup under the guidance of someone more
> experienced to be honest, there's MANY mistakes you're making here, and
> thus likely other mistakes
>
> ---
> “Lanie, I’m going to print more printers. Lots more printers. One for
> everyone. That’s worth going to jail for. That’s worth anything.� -
> Printcrime by Cory Doctrow
>
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html
>
> On Mon, Jun 1, 2015 at 4:05 PM, Jiri B <[hidden email]> wrote:
>
>> On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
>>> Hi,
>>>
>>> I have an web form.
>>>
>>> I need send of webform to script bash
>>>
>>> webform.html --> PHP proces --> create.sh
>>>
>>> create.sh
>>> #!/bin/ksh
>>> # Create user
>>>
>>> echo "hi!! your pass $1"
>>> crypted="$(echo -n "$1" | smtpctl encrypt )"
>>> maildir="$3/$2/"
>>> echo -e "$2@$3" >> recipients
>>> echo -e "$2@$3\t$crypted" >> credentials
>>> echo "ejabberdctl register $2 $3 $1"
>>> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
>>> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
>>
>> Hoho, it won't run in chroot, smtpd doesn't have socket
>> in chroot, same for ejabberctl.
>>
>> You need to have some lightweight communication
>> "protocol" between chroot and an app outside which would
>> sanitize input and do the work.
>>
>> j.

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

Gareth Nelson
my domain is:
',); DROP mails;--

Sanitise your inputs

---
“Lanie, I’m going to print more printers. Lots more printers. One for
everyone. That’s worth going to jail for. That’s worth anything.” -
Printcrime by Cory Doctrow

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

On Mon, Jun 1, 2015 at 6:16 PM, Okupandolared <[hidden email]> wrote:

> Really you could use php to insert into mysql,
>
> but as I need to run ejabberdctl and smtpdctl.
>
> I thought it would do everything from bash
>
> I have no idea how it could call smtpctl from php, maybe you go look at
> python.
>
> On 06/01/15 10:09, Gareth Nelson wrote:
> > Why on earth are you using the shell to insert into MySQL?
> >
> > I would redesign this whole setup under the guidance of someone more
> > experienced to be honest, there's MANY mistakes you're making here, and
> > thus likely other mistakes
> >
> > ---
> > “Lanie, I’m going to print more printers. Lots more printers.
One for
> > everyone. That’s worth going to jail for. That’s worth
anything.† -

> > Printcrime by Cory Doctrow
> >
> > Please avoid sending me Word or PowerPoint attachments.
> > See http://www.gnu.org/philosophy/no-word-attachments.html
> >
> > On Mon, Jun 1, 2015 at 4:05 PM, Jiri B <[hidden email]> wrote:
> >
> >> On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
> >>> Hi,
> >>>
> >>> I have an web form.
> >>>
> >>> I need send of webform to script bash
> >>>
> >>> webform.html --> PHP proces --> create.sh
> >>>
> >>> create.sh
> >>> #!/bin/ksh
> >>> # Create user
> >>>
> >>> echo "hi!! your pass $1"
> >>> crypted="$(echo -n "$1" | smtpctl encrypt )"
> >>> maildir="$3/$2/"
> >>> echo -e "$2@$3" >> recipients
> >>> echo -e "$2@$3\t$crypted" >> credentials
> >>> echo "ejabberdctl register $2 $3 $1"
> >>> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> >>> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
> >>
> >> Hoho, it won't run in chroot, smtpd doesn't have socket
> >> in chroot, same for ejabberctl.
> >>
> >> You need to have some lightweight communication
> >> "protocol" between chroot and an app outside which would
> >> sanitize input and do the work.
> >>
> >> j.

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

kanzer
This was an example I wrote this email really is not implemented anywhere.

But thanks for observation.

If I decide to put it online. "think of this security issue?

On 06/01/15 10:20, Gareth Nelson wrote:

> my domain is:
> ',); DROP mails;--
>
> Sanitise your inputs
>
> ---
> “Lanie, I’m going to print more printers. Lots more printers. One for
> everyone. That’s worth going to jail for. That’s worth anything.” -
> Printcrime by Cory Doctrow
>
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html
>
> On Mon, Jun 1, 2015 at 6:16 PM, Okupandolared <[hidden email]> wrote:
>
>> Really you could use php to insert into mysql,
>>
>> but as I need to run ejabberdctl and smtpdctl.
>>
>> I thought it would do everything from bash
>>
>> I have no idea how it could call smtpctl from php, maybe you go look at
>> python.
>>
>> On 06/01/15 10:09, Gareth Nelson wrote:
>>> Why on earth are you using the shell to insert into MySQL?
>>>
>>> I would redesign this whole setup under the guidance of someone more
>>> experienced to be honest, there's MANY mistakes you're making here, and
>>> thus likely other mistakes
>>>
>>> ---
>>> “Lanie, I’m going to print more printers. Lots more printers. One for
>>> everyone. That’s worth going to jail for. That’s worth anything.† -
>>> Printcrime by Cory Doctrow
>>>
>>> Please avoid sending me Word or PowerPoint attachments.
>>> See http://www.gnu.org/philosophy/no-word-attachments.html
>>>
>>> On Mon, Jun 1, 2015 at 4:05 PM, Jiri B <[hidden email]> wrote:
>>>
>>>> On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
>>>>> Hi,
>>>>>
>>>>> I have an web form.
>>>>>
>>>>> I need send of webform to script bash
>>>>>
>>>>> webform.html --> PHP proces --> create.sh
>>>>>
>>>>> create.sh
>>>>> #!/bin/ksh
>>>>> # Create user
>>>>>
>>>>> echo "hi!! your pass $1"
>>>>> crypted="$(echo -n "$1" | smtpctl encrypt )"
>>>>> maildir="$3/$2/"
>>>>> echo -e "$2@$3" >> recipients
>>>>> echo -e "$2@$3\t$crypted" >> credentials
>>>>> echo "ejabberdctl register $2 $3 $1"
>>>>> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
>>>>> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
>>>>
>>>> Hoho, it won't run in chroot, smtpd doesn't have socket
>>>> in chroot, same for ejabberctl.
>>>>
>>>> You need to have some lightweight communication
>>>> "protocol" between chroot and an app outside which would
>>>> sanitize input and do the work.
>>>>
>>>> j.

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

Sebastien Marie
In reply to this post by kanzer
Hi,

Just to report how it is a bad idea... at least two sql injection and
one shell injection in your files.

On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:

> Hi,
>
> I have an web form.
>
> I need send of webform to script bash
>
> webform.html --> PHP proces --> create.sh
>
> create.sh
> #!/bin/ksh
> # Create user
>
> echo "hi!! your pass $1"
> crypted="$(echo -n "$1" | smtpctl encrypt )"
> maildir="$3/$2/"
> echo -e "$2@$3" >> recipients
> echo -e "$2@$3\t$crypted" >> credentials
> echo "ejabberdctl register $2 $3 $1"
> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;

sql injection on $2 and $3 as "'" isn't escaped by antiyec function

> example php
> <?php
> function antiyec($data) {
>   $data = trim($data);
>   $data = stripslashes($data);
>   $data = htmlspecialchars($data);
>   return $data;
> }
> $user = antiyec($_POST['user']);
> $frase1 = antiyec($_POST['pass']);
> $domain = antiyec($_POST['dom']);
>
> $out = shell_exec('ksh create.sh $frase1 $user $domain');

shell injection on user, pass and dom variables, as ";" isn't escaped by
antiyec function

> echo "<pre>$out</pre>";
> ?>
>
>
> On 06/01/15 08:50, Gareth Nelson wrote:
> > Everyone is missing the bigger picture here:
> >
> > Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
> > and things should be redesigned so that it's not needed.
> >

yes it is a bad idea.
--
Sébastien Marie

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

kanzer
thank you all for the support,

I think in another way, as well sanitize my form.

maybe python goes outside the chroot.

Thanks again

On 06/01/15 10:21, Sebastien Marie wrote:

> Hi,
>
> Just to report how it is a bad idea... at least two sql injection and
> one shell injection in your files.
>
> On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
>> Hi,
>>
>> I have an web form.
>>
>> I need send of webform to script bash
>>
>> webform.html --> PHP proces --> create.sh
>>
>> create.sh
>> #!/bin/ksh
>> # Create user
>>
>> echo "hi!! your pass $1"
>> crypted="$(echo -n "$1" | smtpctl encrypt )"
>> maildir="$3/$2/"
>> echo -e "$2@$3" >> recipients
>> echo -e "$2@$3\t$crypted" >> credentials
>> echo "ejabberdctl register $2 $3 $1"
>> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
>> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
>
> sql injection on $2 and $3 as "'" isn't escaped by antiyec function
>
>> example php
>> <?php
>> function antiyec($data) {
>>   $data = trim($data);
>>   $data = stripslashes($data);
>>   $data = htmlspecialchars($data);
>>   return $data;
>> }
>> $user = antiyec($_POST['user']);
>> $frase1 = antiyec($_POST['pass']);
>> $domain = antiyec($_POST['dom']);
>>
>> $out = shell_exec('ksh create.sh $frase1 $user $domain');
>
> shell injection on user, pass and dom variables, as ";" isn't escaped by
> antiyec function
>
>> echo "<pre>$out</pre>";
>> ?>
>>
>>
>> On 06/01/15 08:50, Gareth Nelson wrote:
>>> Everyone is missing the bigger picture here:
>>>
>>> Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
>>> and things should be redesigned so that it's not needed.
>>>
>
> yes it is a bad idea.

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

Gareth Nelson
If you made these mistakes you'll have made others - get guidance from
someone who knows what they're doing and have them audit your whole system.

---
“Lanie, I’m going to print more printers. Lots more printers. One for
everyone. That’s worth going to jail for. That’s worth anything.” -
Printcrime by Cory Doctrow

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

On Mon, Jun 1, 2015 at 6:31 PM, Okupandolared <[hidden email]> wrote:

> thank you all for the support,
>
> I think in another way, as well sanitize my form.
>
> maybe python goes outside the chroot.
>
> Thanks again
>
> On 06/01/15 10:21, Sebastien Marie wrote:
> > Hi,
> >
> > Just to report how it is a bad idea... at least two sql injection and
> > one shell injection in your files.
> >
> > On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:
> >> Hi,
> >>
> >> I have an web form.
> >>
> >> I need send of webform to script bash
> >>
> >> webform.html --> PHP proces --> create.sh
> >>
> >> create.sh
> >> #!/bin/ksh
> >> # Create user
> >>
> >> echo "hi!! your pass $1"
> >> crypted="$(echo -n "$1" | smtpctl encrypt )"
> >> maildir="$3/$2/"
> >> echo -e "$2@$3" >> recipients
> >> echo -e "$2@$3\t$crypted" >> credentials
> >> echo "ejabberdctl register $2 $3 $1"
> >> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> >> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
> >
> > sql injection on $2 and $3 as "'" isn't escaped by antiyec function
> >
> >> example php
> >> <?php
> >> function antiyec($data) {
> >>   $data = trim($data);
> >>   $data = stripslashes($data);
> >>   $data = htmlspecialchars($data);
> >>   return $data;
> >> }
> >> $user = antiyec($_POST['user']);
> >> $frase1 = antiyec($_POST['pass']);
> >> $domain = antiyec($_POST['dom']);
> >>
> >> $out = shell_exec('ksh create.sh $frase1 $user $domain');
> >
> > shell injection on user, pass and dom variables, as ";" isn't escaped by
> > antiyec function
> >
> >> echo "<pre>$out</pre>";
> >> ?>
> >>
> >>
> >> On 06/01/15 08:50, Gareth Nelson wrote:
> >>> Everyone is missing the bigger picture here:
> >>>
> >>> Why is a PHP script calling the shell? 9 times out of 10, that's a bad
> idea
> >>> and things should be redesigned so that it's not needed.
> >>>
> >
> > yes it is a bad idea.

Reply | Threaded
Open this post in threaded view
|

Re: How does it work, shell_exec and exec of php-fpm in OpenBSD 5.6?

Zé Loff-2
In reply to this post by kanzer
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote:

> Hi,
>
> I have an web form.
>
> I need send of webform to script bash
>
> webform.html --> PHP proces --> create.sh
>
> create.sh
> #!/bin/ksh
> # Create user
>
> echo "hi!! your pass $1"
> crypted="$(echo -n "$1" | smtpctl encrypt )"
> maildir="$3/$2/"
> echo -e "$2@$3" >> recipients
> echo -e "$2@$3\t$crypted" >> credentials
> echo "ejabberdctl register $2 $3 $1"
> echo "INSERT INTO mails (userid, domain, password, maildir) VALUES
> ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail;
>
> example php
> <?php
> function antiyec($data) {
>   $data = trim($data);
>   $data = stripslashes($data);
>   $data = htmlspecialchars($data);
>   return $data;
> }
> $user = antiyec($_POST['user']);
> $frase1 = antiyec($_POST['pass']);
> $domain = antiyec($_POST['dom']);
>
> $out = shell_exec('ksh create.sh $frase1 $user $domain');
> echo "<pre>$out</pre>";
> ?>

If you have MySQL as backend for your email accounts, you can just do
the same with ejabberd. And after that, there is no reason why you can't
do the whole thing on PHP alone.

But as everyone pointed out, you need to do some serious reading and/or
get someone who knows how to set this up properly.


> On 06/01/15 08:50, Gareth Nelson wrote:
> > Everyone is missing the bigger picture here:
> >
> > Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea
> > and things should be redesigned so that it's not needed.
> >
> > ---
> > “Lanie, I’m going to print more printers. Lots more printers. One for
> > everyone. That’s worth going to jail for. That’s worth anything.� -
> > Printcrime by Cory Doctrow
> >
> > Please avoid sending me Word or PowerPoint attachments.
> > See http://www.gnu.org/philosophy/no-word-attachments.html
> >
> > On Mon, Jun 1, 2015 at 1:47 PM, dan mclaughlin <[hidden email]>
> > wrote:
> >
> >> On Mon, 1 Jun 2015 06:05:28 -0400 Josh Grosse <[hidden email]>
> >> wrote:
> >>> On Mon, Jun 01, 2015 at 04:45:01AM -0400, dan mclaughlin wrote:
> >>>> On Sun, 31 May 2015 22:20:17 -0500 Okupandolared <[hidden email]>
> >> wrote:
> >>>>> does not exist,
> >>>>>
> >>>>> so I can copy /usr/bin/whoami to /var/www/usr/bin/whoami?
> >>>>>
> >>>>> that try "ls" and "/bin/ls" and "/var/www/bin/ls"
> >>>>>
> >>>>> and it does not work,
> >>>>> "/bin/ls" exist
> >>>>> "/var/www/bin/ls" exist
> >>>>>
> >>>>> thanks
> >>>>>
> >>>>> On 05/31/15 19:43, Zi Loff wrote:
> >>>>>> On Sun, May 31, 2015 at 09:35:36PM -0500, Okupandolared wrote:
> >>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>>>>> Hash: SHA256
> >>>>>>>
> >>>>>>> I like received variables POST and send to KSH script.
> >>>>>>>
> >>>>>>> But it seems that in OpenBSD 5.6 and php-fpm.
> >>>>>>>
> >>>>>>> exec() and exec_shell() not working.
> >>>>>>>
> >>>>>>> Could anyone help me?
> >>>>>>>
> >>>>>>> This link explain in detail what I've tried.
> >>>>>>>
> >>>>>>>
> >>
> > http://serverfault.com/questions/695703/php-fpm-does-not-work-me-exec-or-shel
> > l-exec
> >>>>>>>
> >>>>>>> thanks
> >>>>>>
> >>>>>> If the server is chrooted at "/var/www" then "/usr/bin/whoami"
> >> (from the
> >>>>>> server's point of view) actually means "/var/www/usr/bin/whoami"
> >> (from
> >>>>>> your point of view). Does that file exist?
> >>>>>
> >>>>
> >>>> have you tried to copy /bin/sh to /var/www/bin/sh?
> >>>
> >>> Also, in a chrooted filesystem, every dynamically linked executable
> >> needs access
> >>>  to ld.so and its shared libraries.  Which means /var/www/usr/lib and
> >>> /var/www/usr/libexec will need files populated -- every binary file
> >> should be
> >>> checked wiht ldd(1) to ensure required libraries are made available.
> >>> shared libraries.  Each program should
> >>
> >> that reminds me, i did a write up on chrooting programs here:
> >> https://marc.info/?l=openbsd-misc&m=142676615612510&w=2
> >>
> >> although it got into more, the basics of setting up a chroot jail are
> >> there.
> >>
> >> i also have a script that adds a binary and its dependencies automatically.
> >> i'll have to post it later, since i've actually been meaning to recently.
> >> just have to make a few adjustments for portability.
>

--