Generating a .run file from a www-data script, please say I can...

Discussion in 'Developers' Forum' started by danf.1979, Jan 4, 2006.

  1. danf.1979

    danf.1979 ISPConfig Developer

    How can I get a www-data:www-data script to create a .run file? I need this badly....
    Maybe it can be validated somehow (the www-data user script)
     
  2. falko

    falko Super Moderator

    Do you mean /home/admispconfig/ispconfig/.run?
    You could make /home/admispconfig/ispconfig world-writable, e.g.
    Code:
    chmod 777 /home/admispconfig/ispconfig
     
  3. danf.1979

    danf.1979 ISPConfig Developer

    Would that be secure?
    I did a new deamon to check for my new .run (wiki.data) file... but I dont know if this is OK. I mean, it works, but I dont like to have a deamon only to run the *final* step for the wiki installation.
    Also I tried to make ispconfig_wconf deamon to check for that new .run (wiki.data) file but I guess my sintax is not OK (I dont know bash).
    How could I modify this to get the deamon ispconfig_wconf to check also for another file? for example /var/www/installers/wiki_temp/wiki.data
    Code:
    while (true) do
      if [ -f /home/admispconfig/ispconfig/.run ]; then
        rm -f /home/admispconfig/ispconfig/.run
        /root/ispconfig/php/php -q /root/ispconfig/scripts/writeconf.php &> /dev/null
      fi
      sleep 10
    done
    
     
    Last edited: Jan 4, 2006
  4. falko

    falko Super Moderator

    It's ok as long as you don't chown the other directories in /home/admispconfig/ispconfig!
    You can try something like this:
    Code:
    while (true) do
      if [ -f /home/admispconfig/ispconfig/.run ] || [ -f /var/www/installers/wiki_temp/wiki.data ]; then
        rm -f /home/admispconfig/ispconfig/.run  &> /dev/null
        rm -f /var/www/installers/wiki_temp/wiki.data  &> /dev/null
        /root/ispconfig/php/php -q /root/ispconfig/scripts/writeconf.php &> /dev/null
      fi
      sleep 10
    done
    
     
  5. till

    till Super Moderator

    Why do you need that? The problem with letting www-data create a .run file is that then every user that is hosted on the server can run a DOS attack against ISPConfig by setting a new .run file every few seconds.
     
  6. danf.1979

    danf.1979 ISPConfig Developer

    I downloaded MediaWiki and found out it has its own installer. The installer is very good, and I dont want to rewrite it.
    Of course, the user begans the installation in ispconfig. He provide:

    1) Database name
    2) Password
    3) Install path

    Then I write those data plus some extra ones to a mysql table so writeconf.php can read them and copy all wiki files to the user directory, but at this moment I can't chown the install path to the real username, I must leave it as www-data, because after the ispconfig installer copies all necessary files to the directory the user has chosen, I request him to follow a link and *finish* the installation with the real wiki install script. This script runs as www-data and attempt to generate a config file when the user has completed the install process. That's why I must leave the directory as www-data owner, until the final step of the wiki installation.

    And that's why I wanted to integrate de wiki install script to the .run system, because I wanted to make:
    1) a final chown -R $username:web$web_id for the wiki path
    2) delete de config/ directory
    3) chmod go-w the generated config file.

    So the user has to do very, very little to install wiki.
     
  7. danf.1979

    danf.1979 ISPConfig Developer

    Maybe there is a way to validate the installation script like with md5?
     
  8. till

    till Super Moderator

    Thats generally a good idea, but i think that opening the admin part to the www-admin user is not a good idea.

    What do you think about this solution:

    In the first part of the installation, where you create the database, you put a rondomly created md5 hash in the ispconfig database and write this hash to a file, e.g. .install_secret that is stored in the directory where you install mediawiki. This file might also include the complete URL of the file called below.

    After the mediawike script has finished, it reads this md5 hash, and calls a script that runs as admispconfig user. For example:

    https://www.yourserver.com:81/tools/tools/installer/finish.php?secret=34f632s274322

    The finish.php script compares if the secret is identical with the one we stored in the database, if its identic, it will set the .run file.

    Its a bit complicated, but i think its more secure.
     
  9. danf.1979

    danf.1979 ISPConfig Developer

    I like that, but I've never done something similar before... so I'm a little lost on how to execute the final.php from the wiki install script and pass the md5 hash hidden to the user.
    Would i have to put a function like this in the wiki script?
    Code:
    function finish($hash) {
        exec("/home/admispconfig/.../final.php?var=$hash);
    }
    
    Sorry, my experience is limited... :)
     
  10. till

    till Super Moderator

    The solution is even simpler. You must call the script with http! Otherwise it is executesd as wwwrun and not admispconfig user!

    Code:
    $returnvalues = file("https://www.yourserver.com:81/tools/tools/installer/final.php?var=$hash");
    As you dont know the correct value for https://www.yourserver.com:81 in the mediawiki script, it is a good idea to store this in the secret file too.

    One comment to your code above. If you put a variable in an exec statement, make sure that it cannot conatin any executable commands. Example:

    Code:
    $hash = escapeshellcmd($hash);
    exec("/home/admispconfig/.../final.php?var=$hash);


    Everyone of us started with programming some time ago. We have the development forums to help each other in ispconfig programming and to find the best solution for a given dev problem :)
     
    Last edited: Jan 4, 2006

Share This Page