PHP coder needs Tor details
Seth David Schoen
schoen at eff.org
Tue Feb 13 01:36:45 UTC 2007
Mr. Blue writes:
> Now all this works well when I perform it like a root, but when I want nobody(apache) to parse file.php that is calling Tor will not work.
> I know why - nobody doesn't have a permission for that.
> I installed Tor like a ROOT using "portinstall -s security/tor" command.
> Now..., I would like to chmod tor to allow nobody to run it with certain PID but I simply can't find Tor even if I use. (Yes I know - this is very funny!)
> If I can't find Tor dir on my server how am I suppose to chmod it?
> To shorten... How do I allow nobody to utilize Tor (It can already do that but I must start it like a root and stop it like a root)
There is a Unix feature called setuid which allows a program to run with
the privileges of a user other than the user who started it. On a Unix
system where setuid is supported (and you are allowed to use it), a
program which is mode 4xxx (in octal notation) or u+s (in text notation)
will get the privileges of the _program file's owner_ when run, rather
than the privileges of the user who started the program. You might be
able to use this in a variety of ways in your application. Please keep
in mind that the improper use of the setuid facility is a major source
of security holes, so you should think through what you're doing (and
the consequences of allowing other users on the machine, if any, to
run programs with those privileges!).
Here is a simple example showing the difference between a regular
executable program and a program with the setuid bit set:
schoen at sescenties:~$ cp /usr/bin/id regular_id
schoen at sescenties:~$ cp /usr/bin/id setuid_id
schoen at sescenties:~$ sudo chown root:root setuid_id
schoen at sescenties:~$ sudo chmod u+s setuid_id
schoen at sescenties:~$ ./regular_id
uid=1000(schoen) gid=1000(schoen) grupos=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(lpadmin),105(scanner),106(admin),1000(schoen)
schoen at sescenties:~$ ./setuid_id
uid=1000(schoen) gid=1000(schoen) euid=0(root) grupos=4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),104(lpadmin),105(scanner),106(admin),1000(schoen)
(Here the word "grupos" means "groups"; I'm using pt_BR as my locale.)
euid is the "effective user ID" of the process.
One more note: some Unix versions forbid a script (such as a shell script)
to run setuid. Some scripting languages have workarounds for this where
the scripting language itself has a setuid root version (for example,
sperl for Perl) that will handle the privileges for the scripts. If you
try to make a script setuid, don't be surprised if this process doesn't
work on your system (for security reasons based on the concerns of the
kernel developer, the distributor, or the system administrator).
> PS: Why after I start Tor like a root by typing "tor" in command line it start and then I simply can't issue ANY command to my server, whatever I type in command line and press enter it is like I am typing some text in a word(or nano for a unix)?
The normal paradigm of the command line is that when you start a command,
that command will keep running in your terminal until it's done, and
only then will you get another shell prompt.
You should probably look at documentation for your shell (if you don't
have good documentation, I can recommend the use of the bash shell and
the O'Reilly and Associates book _Learning the bash Shell_), in particular
the features called "job control", which are aimed at helping you do
multitasking using the command line.
The first job control feature to learn about is the ampersand character.
If you put an ampersand at the end of a command line, the job will run
"in the background" and the shell won't wait for it to exit before giving
you another prompt.
Staff Technologist schoen at eff.org
Electronic Frontier Foundation http://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 1 415 436 9333 x107
More information about the tor-talk