On Tue, Jul 22, 2014 at 12:59:04PM -0500, wireless wrote:
> If have to audit the code(s) and find the opportunities to use popen.
> You have to understand that popen in php, and other scripting languages,
> is not the same as popen as it is in a "C" program.
I've actually now got some example code including a poller that
uses popen() to fping instead of a temporary directory.
It actually works for me.
The trick is that fping on my system is not setuid, but uses
capabilities. I'm a little worried that not everyone has fping set up
this way (but they should).
So, I'm basically looking for someone that has a setuid root fping.
You can tell with
ls -l /usr/bin/fping
-rwxr-xr-x 1 root root 31464 May 6 21:42 /usr/bin/fping
See the permissions? No 's' so its not setuid.
If yours looks like mine, don't set it setuid!
Attached is some example code that pings localhost twice. If you have
a setuid fping can you run it and send back the output?
If it works it will look like this:
NOMATCH 127.0.0.1 : [0], 84 bytes, 0.10 ms (0.10 avg, 0% loss)
MATCH
Array
(
[0] => 127.0.0.1 : xmt/rcv/%loss = 2/2/0%, min/avg/max = 0.07/0.08/0.10
[1] => 2
[2] => 2
[3] => , min/avg/max = 0.07/0.08/0.10
[4] => 0.08
)
NOMATCH done
SF list wont let me attach, so here it is, copy the bits between the
--- lines into a file, say test_fping.php and then run it as
php -q test_fping.php
as a normal user.
---------------------------------------
<?php
$fping_pattern = "/\S+ : xmt\/rcv\/%loss = (\S+)\/(\S+)\/\S+%(, min\/avg\/max =
\S+\/(\S+)\/\S+|)/";
$handle = popen("fping -c 2 127.0.0.1 2>&1", "r");
while(!feof($handle))
{
$line = fread($handle, 1000);
if (preg_match($fping_pattern, $line, $parts)) {
print "MATCH\n";
print_r($parts);
} else {
print "NOMATCH $line";
}
}
echo "done";
?>
------------------------------------------------
--
Craig Small (@smallsees) http://enc.com.au/ csmall at : enc.com.au
Debian GNU/Linux http://www.debian.org/ csmall at : debian.org
GPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls.
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
jffnms-users mailing list
jffnms-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jffnms-users
