Path: csiph.com!newsfeed.hal-mli.net!feeder3.hal-mli.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!newsfeed.xs4all.nl!newsfeed1.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.088
X-Spam-Evidence: '*H*': 0.83; '*S*': 0.00; 'charset:iso-8859-7': 0.04; 'root': 0.05; 'granted,': 0.07; 'see.': 0.07; 'subject:script': 0.09; '*no*': 0.16; '13:07,': 0.16; 'activity?': 0.16; "can't.": 0.16; 'doesnt': 0.16; 'easily,': 0.16; 'executed,': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'guess.': 0.16; 'it),': 0.16; 'ssh': 0.16; 'subject:Apache': 0.16; 'subject:issue': 0.16; 'subject:run': 0.16; 'subject:python': 0.16; 'wrote:': 0.18; 'users.': 0.18; 'wed,': 0.18; 'thanks.': 0.20; 'shell': 0.22; 'certainly': 0.24; 'passes': 0.24; 'fairly': 0.24; 'logging': 0.26; 'least': 0.26; 'header:In-Reply-To:1': 0.27; 'idea': 0.28; 'point': 0.28; 'on,': 0.29; 'restrict': 0.30; 'message-id:@mail.gmail.com': 0.30; "i'm": 0.30; 'work.': 0.31; 'getting': 0.31; 'too.': 0.31; 'disable': 0.31; 'location,': 0.31; 'subject:that': 0.31; 'file': 0.32; 'probably': 0.32; 'addresses': 0.33; "i'd": 0.34; 'could': 0.34; "can't": 0.35; 'connection': 0.35; 'possible.': 0.35; 'beyond': 0.35; 'point.': 0.35; 'but': 0.35; 'received:google.com': 0.35; 'there': 0.35; 'options:': 0.36; 'done': 0.36; 'next': 0.36; "didn't": 0.36; '(i.e.,': 0.38; 'mine': 0.38; 'to:addr:python-list': 0.38; 'pm,': 0.38; 'little': 0.38; 'skip:. 10': 0.39; 'sure': 0.39; 'to:addr:python.org': 0.39; 'how': 0.40; 'even': 0.60; 'remove': 0.60; 'easy': 0.60; 'access,': 0.60; 'commands': 0.60; 'is.': 0.60; 'logged': 0.60; 'logs': 0.60; 'tell': 0.60; 'full': 0.61; 'show': 0.63; 'such': 0.63; 'offering': 0.63; 'provide': 0.64; '8bit%:95': 0.64; 'account': 0.65; 'worth': 0.66; '>from': 0.68; 'fact,': 0.69; '8bit%:100': 0.72; 'special': 0.74; '100%': 0.77; '9:19': 0.84; 'contents,': 0.84; 'establishes': 0.84; "it'd": 0.84; 'skip:\xef 10': 0.84; 'usage.': 0.84; 'imagine': 0.93; 'subject:let': 0.93; 'serious': 0.97; '2013': 0.98; 'invite': 0.98
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=Rwp2kHQgdc4qFE6O2+cuEcS6ePSfsaP9ytCEk5tDwpY=; b=lLNQFTgWK7SPxRgm8co6hHWHj0ENciSJPifqBD2enGl6HthjnRxaMURRKibdzXOExe Ri9QreMbrONwPQbkITRjpuO4I3ihb9Bn1TbyLo5ZY57zI15ZGGB0+57PNhadMYiJl5jn EDLDAZ9AP83N3idSh+HXjK/qir7axdR7v0hnliglPIouokFG2DWXwfTQUVR9t7Q6iKsw kbJM9pLvepEdpXL9twguOJJHsT2NrsfkH66SrisKZ65H3YcL/EzNr06MalTvcjxEcA4l I54Lh2JtlNYB0sTWM+URKD3a0Sm2dMmJ35LEuzn6fDe41WY3pYGesO4aTbqXKSkDxuV2 a/5Q==
MIME-Version: 1.0
X-Received: by 10.52.117.16 with SMTP id ka16mr17179434vdb.43.1370450030473; Wed, 05 Jun 2013 09:33:50 -0700 (PDT)
In-Reply-To: <1496e27c-7870-48d2-afb0-1bf626e24b5f@googlegroups.com>
References: <20a49aac-3867-481f-96d4-c95a050781ed@googlegroups.com> <CAMw+j7J=ibDTi9c9dxjx_=zuoecFxLawP2KmGjbhBztEC1nWZA@mail.gmail.com> <CAPTjJmrZH1qC=X+LNenXyReNjQT4FmVTKqL24H0D0An0XK9kAg@mail.gmail.com> <mailman.2656.1370359764.3114.python-list@python.org> <592c84d8-2e86-4480-b784-c3ccadc8360d@googlegroups.com> <mailman.2666.1370365761.3114.python-list@python.org> <06fd6c2e-0979-4d61-b75a-6d9df7c1b624@googlegroups.com> <mailman.2688.1370383955.3114.python-list@python.org> <70390d65-5313-46bf-8110-b25f5fc9f76f@googlegroups.com> <mailman.2706.1370419798.3114.python-list@python.org> <8d52505a-7252-419b-8b4f-61e5ee56a78a@googlegroups.com> <mailman.2707.1370421723.3114.python-list@python.org> <2aef9194-ef36-45db-8c77-9510d3f14ebe@googlegroups.com> <mailman.2710.1370423500.3114.python-list@python.org> <c49345c2-7dd8-4b59-9f5c-c4e7ce7a3ea0@googlegroups.com> <mailman.2721.1370428837.3114.python-list@python.org> <8df8a9df-dbb9-4f35-a6a3-b45aa32a848b@googlegroups.com> <mailman.2722.1370430879.3114.python-list@python.org> <1496e27c-7870-48d2-afb0-1bf626e24b5f@googlegroups.com>
Date: Thu, 6 Jun 2013 02:33:50 +1000
Subject: Re: Apache and suexec issue that wont let me run my python script
From: Chris Angelico <rosuav@gmail.com>
To: python-list@python.org
Content-Type: text/plain; charset=ISO-8859-7
Content-Transfer-Encoding: quoted-printable
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.2743.1370450038.3114.python-list@python.org>
Lines: 57
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1370450038 news.xs4all.nl 15919 [2001:888:2000:d::a6]:39639
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:47107

On Wed, Jun 5, 2013 at 9:19 PM, =CD=E9=EA=FC=EB=E1=EF=F2 =CA=EF=FD=F1=E1=F2=
 <nikos.gr33k@gmail.com> wrote:
> =D4=E7 =D4=E5=F4=DC=F1=F4=E7, 5 =C9=EF=F5=ED=DF=EF=F5 2013 2:14:34 =EC.=
=EC. UTC+3, =EF =F7=F1=DE=F3=F4=E7=F2 Heiko Wundram =DD=E3=F1=E1=F8=E5:
>> Am 05.06.2013 13:07, schrieb =EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=
=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD =EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=BD=EF=BF=
=BD=EF=BF=BD:
>>
>> >Btw, since history doesnt show me his history comamnds when he logged i=
n
>> >from .au(why not really?), how can i tell what exactly did he do when h=
e
>> >logged on to the server?
>
>> As root has full access to your system (i.e., can change file contents
>> and system state at will), and you gave him root access: you can't. And
>> he made sure to remove things such as .bash_history and the syslog
>> contents, I guess. At least that's what I'd have done to prove a point.

In fact, I didn't even bother fiddling with syslog. All I did was
.bash_history. Of course, I wasn't worried about you getting my IP
addresses (one of them is public anyway, and the other isn't mine any
longer than I'm using it), and nothing I did there was sufficiently
serious to be worth hiding, but I just did the history so I could
point out how easy this is.

> I see. Thanks.
> Is there some logging utility i can use next time iam offering root acces=
s to someone(if i do it) or perhaps logging a normal's account activity?

You could log a normal user fairly easily, because root trumps normal
users. To log root access, there are a few options:

1) Don't actually give unrestricted roots, but require the use of
sudo, which logs. Not 100% perfect unless you actually restrict the
commands that can be executed, but it'd at least let you have some
idea that things were tampered with.

2) Provide a special bouncer. This is a little complex to describe, so
bear with me. Imagine you have *two* computers, WebHost and Bouncer.
You want to give root access to WebHost, so you invite someone to ssh
to webroot@bouncer - the shell of that user establishes a secondary
connection to root@webhost and passes everything on, but also logs it.
Since *no* access to Bouncer has been granted, the logs can't be
tampered with. This can be complicated to set up and secure, but it's
certainly possible. However, I think it is beyond your ability, at
least at the moment.

3) Provide a hacked-up root shell that logs to a network location, and
disable all other shell usage. Imperfect but would probably work.

4) Require that all root shell access be done through screen/tmux, and
monitor it.

You can probably think of a few others, too.

ChrisA