Discussion:
[BackupPC-devel] BackupPC_Admin C wrapper and apache hell
Richard Shaw
2017-03-19 22:41:06 UTC
Permalink
From a Fedora packaging perspective we can't do the standard setup because
we don't allow perl scripts to run as suid and can't use mod_perl because
it requires a separate apache instance so instead we use a simple C wrapper
that can run suid.

The problem is that a compiled binary doesn't belong in /usr/share/...
(although that's where the current package put it) so I have migrated it to
/usr/sbin/BackupPC_Admin.

The problem is that I can't seem to find the magic incantation to make
apache happy with it. I can duplicate the contents of the Directory
directive for /usr/sbin but I don't want to expose that access to
everything in /usr/sbin, just BackupPC_Admin, but when I try any version of
the Files directive it refuses to work saying something to the effect of:

authz_core:error] [pid 32390] [client ::1:37302] AH01630: client denied by
server configuration: /usr/sbin/BackupPC_Admin

Any ideas?

Thanks,
Richard
Kenneth Porter
2017-03-21 02:36:10 UTC
Permalink
--On Sunday, March 19, 2017 6:41 PM -0500 Richard Shaw
Post by Richard Shaw
The problem is that a compiled binary doesn't belong in /usr/share/...
(although that's where the current package put it) so I have migrated it
to /usr/sbin/BackupPC_Admin.
Would it make more sense to put it in /usr/libexec?

<https://docs.fedoraproject.org/en-US/Fedora/14/html/Storage_Administration_Guide/s1-filesystem-fhs.html>


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
BackupPC-devel mailing list
BackupPC-***@lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-devel
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
Richard Shaw
2017-03-21 12:50:01 UTC
Permalink
Post by Kenneth Porter
--On Sunday, March 19, 2017 6:41 PM -0500 Richard Shaw
Post by Richard Shaw
The problem is that a compiled binary doesn't belong in /usr/share/...
(although that's where the current package put it) so I have migrated it
to /usr/sbin/BackupPC_Admin.
Would it make more sense to put it in /usr/libexec?
I thought about that as well but in either case it doesn't solve the apache
directive issue...

Thanks,
Richard
Juergen Harms
2017-03-21 16:13:38 UTC
Permalink
The Mageia BackupPC 3 package puts BackupPC_Admin (the suid executable)
into /var/wwww/backuppc/, next to BackupPC_Admin.cgi - and Apache does
not complain. Normally Mageia is configured along the same lines as
Fedora. Could this be a viable alternative for BackupPC 4?

Juergen

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
BackupPC-devel mailing list
BackupPC-***@lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-devel
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
Les Mikesell
2017-03-21 16:19:02 UTC
Permalink
Post by Richard Shaw
Post by Kenneth Porter
Post by Richard Shaw
The problem is that a compiled binary doesn't belong in /usr/share/...
(although that's where the current package put it) so I have migrated it
to /usr/sbin/BackupPC_Admin.
Would it make more sense to put it in /usr/libexec?
I thought about that as well but in either case it doesn't solve the apache
directive issue...
Is it possible to use Apache's own suEXEC mechanism?
--
Les Mikesell
***@gmail.com

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
BackupPC-devel mailing list
BackupPC-***@lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-devel
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
Fritz Elfert
2017-03-21 16:24:01 UTC
Permalink
Is your selinux by any chance enabled? Try setenforce=0 temporarily. If
it works after that, enable it again and after it fails, use audit2allow
to figure out the necessary rulesets.

CU
-Fritz
Post by Kenneth Porter
--On Sunday, March 19, 2017 6:41 PM -0500 Richard Shaw
Post by Richard Shaw
The problem is that a compiled binary doesn't belong in /usr/share/...
(although that's where the current package put it) so I have migrated it
to /usr/sbin/BackupPC_Admin.
Would it make more sense to put it in /usr/libexec?
I thought about that as well but in either case it doesn't solve the
apache directive issue...
Thanks,
Richard
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
BackupPC-devel mailing list
List: https://lists.sourceforge.net/lists/listinfo/backuppc-devel
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
Richard Shaw
2017-03-22 12:37:26 UTC
Permalink
Post by Fritz Elfert
Is your selinux by any chance enabled? Try setenforce=0 temporarily. If
it works after that, enable it again and after it fails, use audit2allow
to figure out the necessary rulesets.
No, pretty sure that's not the case. There is a straightforward error in
apache's error_log saying it's not allowing access due to the configuration
and when I use a Directory directive to allow access to /usr/sbin it works,
but I don't want to allow apache access to everything in /usr/sbin (or
/usr/libexec)

Thanks,
Richard
Kenneth Porter
2017-03-22 21:56:13 UTC
Permalink
Post by Richard Shaw
No, pretty sure that's not the case. There is a straightforward error
in apache's error_log saying it's not allowing access due to the
configuration and when I use a Directory directive to allow access to
/usr/sbin it works, but I don't want to allow apache access to
everything in /usr/sbin (or /usr/libexec)
I thought you could put the binary in /usr/libexec/BackupPC and then use
a Directory directive on that.


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
BackupPC-devel mailing list
BackupPC-***@lists.sourceforge.net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-devel
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
Richard Shaw
2017-03-22 21:59:33 UTC
Permalink
Post by Kenneth Porter
Post by Richard Shaw
No, pretty sure that's not the case. There is a straightforward error
in apache's error_log saying it's not allowing access due to the
configuration and when I use a Directory directive to allow access to
/usr/sbin it works, but I don't want to allow apache access to
everything in /usr/sbin (or /usr/libexec)
I thought you could put the binary in /usr/libexec/BackupPC and then use
a Directory directive on that.
Hadn't thought of that... Thanks!

Richard
Richard Shaw
2017-03-25 16:53:24 UTC
Permalink
Ok, good news...

I updated my package to 4.1.0 and put BackupPC_Admin in
/usr/libexec/BackupPC and changed the apache directive from:

<Directory /usr/share/BackupPC/>

to

<DirectoryMatch /usr/(share|libexec)/BackupPC/>

And I could log in!

I had a new SELinux error that access to /etc/BackupPC/LOCK was denied but
I added a httpd_lock_t context to the LOCK file and that seems to have gone
away. I was able to do a backup of my local home directory.

Thanks,
Richard

Loading...