Apache and suexec issue that wont let me run my python script

[Mark Lawrence]

**** you too and sod off.

You've got a bloody nerve. You're charging people when you haven't the
faintest idea what you're doing, won't pay for technical support, and
then have the audacity to complain when people do try to help. As I've
said before, it's hardly surprising that the Greek economy is in such a
mess if you're an example of what the workforce has to offer. I was
going to say professionally, except that word is clearly not applicable
here.

--
"Steve is going for the pink ball - and for those of you who are
watching in black and white, the pink is next to the green." Snooker
commentator 'Whispering' Ted Lowe.

Mark Lawrence

 

[Mark Lawrence]

Ôç ÔåôÜñôç, 5 Éïõíßïõ 2013 12:49:13 ì.ì. UTC+3, ï ÷ñÞóôçò alex23 Ýãñáøå:

You spare it from the list because you wanted to bitch in private.
Now sod off.

Never in the field of the internet has so much been owed to so many by
so few.

--
"Steve is going for the pink ball - and for those of you who are
watching in black and white, the pink is next to the green." Snooker
commentator 'Whispering' Ted Lowe.

Mark Lawrence

 

[Mark Lawrence]

You most definitely *are* a fool.

ChrisA

I believe the above is just plain wrong. A fool and his money are
easily parted, but this guy won't part with his cash.

--
"Steve is going for the pink ball - and for those of you who are
watching in black and white, the pink is next to the green." Snooker
commentator 'Whispering' Ted Lowe.

Mark Lawrence

 

[Íéêüëáïò Êïýñáò]

Ôç ÔåôÜñôç, 5 Éïõíßïõ 2013 4:16:46 ì.ì.UTC+3, ï ÷ñÞóôçò Mark Lawrence Ýãñáøå:

You've got a bloody nerve. You're charging people when you haven't the

faintest idea what you're doing, won't pay for technical support, and

then have the audacity to complain when people do try to help. As I've

said before, it's hardly surprising that the Greek economy is in such a

mess if you're an example of what the workforce has to offer. I was

going to say professionally, except that word is clearly not applicable

here.

When you invented meat, Greeks were already suffering from cholesterol.

 

[Serhiy Storchaka]

05.06.13 11:09, Chris Angelico напиÑав(ла):

Oh, and I changed the root password, since the current one was sent in
clear text across the internet. Nikos, the new password has been
stored in /home/nikos/new_password - you should be able to access that
using your non-root login. I recommend you change it immediately.

What are permission modes of /home/nikos and /home/nikos/new_password?

 

[Íéêüëáïò Êïýñáò]

Τη ΤετάÏτη, 5 Ιουνίου 2013 5:46:57 μ.μ. UTC+3, ο χÏήστης Serhiy Storchaka έγÏαψε:

05.06.13 11:09, Chris Angelico напиÑав(ла):







What are permission modes of /home/nikos and /home/nikos/new_password?

(e-mail address removed) [~/www]# pwd
/home/nikos/www
(e-mail address removed) [~/www]# ls -ld ../
drwx--x--x 24 nikos nikos 4096 Jun 5 11:28 ..//
(e-mail address removed) [~/www]#

 

[Chris Angelico]

I will understand by his attitude in general if he is likely to help me or not.

How much of my attitude did you read before you decided I would trust
you? Posts like this:

http://mail.python.org/pipermail/python-list/2013-June/648428.html
http://mail.python.org/pipermail/python-list/2013-June/648496.html

and especially this:

http://mail.python.org/pipermail/python-list/2013-June/648459.html

state fairly clearly what I'm intending. I was NOT planning to solve
your problem. I was planning all along to do exactly what I did:
search for some proof that I had full access, email it to the persons
concerned, then leave without doing any actual damage.

So if you were *that wrong* about me, what makes you think you can
judge someone else safely?

ChrisA

 

[Chris Angelico]

Ôç ÔåôÜñôç, 5 Éïõíßïõ 2013 2:14:34 ì.ì. UTC+3, ï ÷ñÞóôçò Heiko Wundram Ýãñáøå:

In fact, I didn't even bother fiddling with syslog. All I did was
..bash_history. Of course, I wasn't worried about you getting my IP
addresses (one of them is public anyway, and the other isn't mine any
longer than I'm using it), and nothing I did there was sufficiently
serious to be worth hiding, but I just did the history so I could
point out how easy this is.

I see. Thanks.
Is there some logging utility i can use next time iam offering root access to someone(if i do it) or perhaps logging a normal's account activity?

You could log a normal user fairly easily, because root trumps normal
users. To log root access, there are a few options:

1) Don't actually give unrestricted roots, but require the use of
sudo, which logs. Not 100% perfect unless you actually restrict the
commands that can be executed, but it'd at least let you have some
idea that things were tampered with.

2) Provide a special bouncer. This is a little complex to describe, so
bear with me. Imagine you have *two* computers, WebHost and Bouncer.
You want to give root access to WebHost, so you invite someone to ssh
to webroot@bouncer - the shell of that user establishes a secondary
connection to root@webhost and passes everything on, but also logs it.
Since *no* access to Bouncer has been granted, the logs can't be
tampered with. This can be complicated to set up and secure, but it's
certainly possible. However, I think it is beyond your ability, at
least at the moment.

3) Provide a hacked-up root shell that logs to a network location, and
disable all other shell usage. Imperfect but would probably work.

4) Require that all root shell access be done through screen/tmux, and
monitor it.

You can probably think of a few others, too.

ChrisA

 

[Joel Goldstick]

or not.

How much of my attitude did you read before you decided I would trust
you? Posts like this:

http://mail.python.org/pipermail/python-list/2013-June/648428.html
http://mail.python.org/pipermail/python-list/2013-June/648496.html

and especially this:

http://mail.python.org/pipermail/python-list/2013-June/648459.html

state fairly clearly what I'm intending. I was NOT planning to solve
your problem. I was planning all along to do exactly what I did:
search for some proof that I had full access, email it to the persons
concerned, then leave without doing any actual damage.

So if you were *that wrong* about me, what makes you think you can
judge someone else safely?

ChrisA

To solve the OPs problems once and for all, I believe we need to know his
social security number and his mother's maiden name. (Yes, i know SSN is
for US but... )

 

[Chris Angelico]

05.06.13 11:09, Chris Angelico напиÑав(ла):


What are permission modes of /home/nikos and /home/nikos/new_password?

I didn't actually fiddle with that, but you're right, I ought to have
ensured that the password file was mode 600. However, I don't think it
would have made a lot of difference; mainly I was wanting to guard
against randoms on the internet, not actual legit users of his system
(and even they may well not have shell access).

ChrisA

 

[Íéêüëáïò Êïýñáò]

Ôç ÔåôÜñôç, 5 Éïõíßïõ 2013 7:33:50 ì.ì.UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

In fact, I didn't even bother fiddling with syslog. All I did was
.bash_history. Of course, I wasn't worried about you getting my IP
addresses (one of them is public anyway, and the other isn't mine any
longer than I'm using it), and nothing I did there was sufficiently
serious to be worth hiding, but I just did the history so I could
point out how easy this is.

So, by executing .bash_history commands issued are cleared. okey.
What abiut 'syslog' that Heiko mentioned. Since you didnt fiddle with syslog can the latter show me what commands have been executed, files opened, commands given, services started-stopped etc?

and nothing I did there was sufficiently serious to be worth hiding.

Actually i believ you, because if you had malice in mind you could 'rm -rf /' or deface frontpages which you didnt do.

But is there a way for me to see what commands have been issued? syslog perhaps as ia sk above?
Since you didn't hurm the system why the need of wipe clean bash's history?

 

[Íéêüëáïò Êïýñáò]

Τη ΤετάÏτη, 5 Ιουνίου 2013 7:37:47 μ.μ. UTC+3, ο χÏήστης Chris Angelico έγÏαψε:

I didn't actually fiddle with that, but you're right, I ought to have

ensured that the password file was mode 600. However, I don't think it

would have made a lot of difference; mainly I was wanting to guard

against randoms on the internet, not actual legit users of his system

(and even they may well not have shell access).

I grant shell access to very new account i create but some of my customers dont evn know the existance of linux, and the other that do, have no idea of what a shell access is. But i grant them the ability just in cae for future usage.

Most of them are doign the work via cPanel tools.

 

[Íéêüëáïò Êïýñáò]

Ôç ÔåôÜñôç, 5 Éïõíßïõ 2013 7:35:48 ì.ì.UTC+3, ï ÷ñÞóôçò Joel Goldstick Ýãñáøå:

To solve the OPs problems once and for all, I believe we need to know his >social security number and his mother's maiden name.  (Yes, i know SSN is for US >but... )

Even if i gibe you that info, what can you possibly expect to happen?
Gain access to my Gmail account because you stuck in its security question?

 

[Chris Angelico]

Ôç ÔåôÜñôç, 5 Éïõíßïõ 2013 7:33:50 ì.ì. UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

So, by executing .bash_history commands issued are cleared. okey.
What abiut 'syslog' that Heiko mentioned. Since you didnt fiddle with syslog can the latter show me what commands have been executed, files opened, commands given, services started-stopped etc?

Poke around in /var/log - I didn't tamper with anything there, so you
may well find log entries. But I don't know for sure what I did and
what I didn't do.

Actually i believ you, because if you had malice in mind you could 'rm -rf /' or deface frontpages which you didnt do.

But is there a way for me to see what commands have been issued? syslog perhaps as ia sk above?
Since you didn't hurm the system why the need of wipe clean bash's history?

There won't be a full list of all commands, but you may find some
hints. And why wipe it? Just to show how easily it could be done.
Imagine if I'd:

1) Created a new user, with a home directory of /etc
2) Made a setuid root binary that gives me a shell
3) Removed all logfile traces of having done so

I could then *retain full access* even after you change the root
password. And you would not know what I'd done, if I do the logfile
wipes correctly. You might see some hint (eg that logs were rotated
prematurely), but it'd be extremely hard to figure out what I did.

ChrisA

 

[Chris Angelico]

I grant shell access to very new account i create but some of my customers dont evn know the existance of linux, and the other that do, have no ideaof what a shell access is. But i grant them the ability just in cae for future usage.

Most of them are doign the work via cPanel tools.

I would strongly recommend NOT giving shell access, then. The chances
are low that they'll ever need it, and you improve your security
significantly by closing it off.

Ôç ÔåôÜñôç, 5 Éïõíßïõ 2013 7:35:48 ì.ì. UTC+3, ï ÷ñÞóôçò Joel Goldstick Ýãñáøå:


Even if i gibe you that info, what can you possibly expect to happen?
Gain access to my Gmail account because you stuck in its security question?

What about: gain access to your bank account the same way? How would
you feel about random people on the internet having the ability to
transfer money on your behalf?

ChrisA

 

[Íéêüëáïò Êïýñáò]

Ôç ÔåôÜñôç, 5 Éïõíßïõ 2013 8:16:46 ì.ì.UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

Poke around in /var/log - I didn't tamper with anything there, so you

may well find log entries. But I don't know for sure what I did and

what I didn't do.







There won't be a full list of all commands, but you may find some

hints. And why wipe it? Just to show how easily it could be done.

Imagine if I'd:



1) Created a new user, with a home directory of /etc

2) Made a setuid root binary that gives me a shell

3) Removed all logfile traces of having done so



I could then *retain full access* even after you change the root

password. And you would not know what I'd done, if I do the logfile

wipes correctly. You might see some hint (eg that logs were rotated

prematurely), but it'd be extremely hard to figure out what I did.

Forensics is not my strong point, currently i'm learning linux hence i onlyhave basic knowledge just to get some basic stuff up and running.

Now about what you did to me. I wanted to tell you that I (and I am sure there are other people too) don't agree with what you did. I think it was pretty rotten -- you told me it was a bad idea to give out the root password and that was as far as you should have gone, you had no right to "prove" it by screwing with my system.

In the US there is a law called the DMCA which I think would make what
you did illegal, even though i have you a password, because i
clearly gave you access to help me fix a problem, not to do what you
did. Of course US law doesn't help in this case since you i live in Greece and you live in Australia...

I decided a long time ago the certain people on the Python list were
assholes, you leading the list followed by alex23, Mark Lawrence
and several more. Your post about how you are a good Christian just
confirms to me that you aren't -- people who brag about how moral they
are are usually immoral. And besides the major assholes, there are
lots of people there that will just agree with prevailing opinion
without thinking for themselves.

I still maintain my belief that most people are good and want to help
rather than be destructive(which to your defense you weren't entirely. The mails you sent to my few customers though really pissed me off).

And of course, i have no idea, if you ahve installed some kind of a backdoor utility that will grant you shell access via ssh to my system.
I want to convince myself that you haven't done so.

 

[Chris Angelico]

Now about what you did to me. I wanted to tell you that I (and I am sure there are other people too) don't agree with what you did. I think it was pretty rotten -- you told me it was a bad idea to give out the root passwordand that was as far as you should have gone, you had no right to "prove" it by screwing with my system.

In the US there is a law called the DMCA which I think would make what
you did illegal, even though i have you a password, because i
clearly gave you access to help me fix a problem, not to do what you
did. Of course US law doesn't help in this case since you i live in Greece and you live in Australia...

IANAL, but I don't think the DMCA has anything to do with this. (That
is to say, I don't think it would even if everything were under US
jurisdiction, which as you say isn't the case anyway.) What I did is
no more illegal than you lending your car keys to a stranger with the
request that he lock your door for you, and him then leafing through
the contents of your car and telling your spouse what he found. If
that causes your marriage to break up, the fault was with you for
having something in your car that would break up your marriage, and
for letting a stranger poke around in there.

I still maintain my belief that most people are good and want to help
rather than be destructive(which to your defense you weren't entirely. The mails you sent to my few customers though really pissed me off).

The mails to your customers stop you from pretending to them that you
know what you're doing. That's all. Now, you may be able to come back
from this by making a public change of policy (you so far have a
declared stance that you would give out the root password to someone
else in future) and apologizing profusely to your customers, but if
you can't, that is your problem and not mine.

I was programming computers for eighteen years before I got a job
doing it. Getting money for hosting people's web sites is something
that you should see as a privilege for people who can demonstrably
provide this service safely, and should not be something you strive
for while you're learning the basics of Linux.

And of course, i have no idea, if you ahve installed some kind of a backdoor utility that will grant you shell access via ssh to my system.
I want to convince myself that you haven't done so.

I can help with that convincing. No, I did not install any sort of
backdoor. There is no way you can prove that statement, but you have
my promise and pledge that your system is safe from me. All I did was:

1) Change the root password, storing the new one in a way that you could find it
2) Create the cookie file as proof of what I could do
3) Collect email addresses from /home/*/.contactemail
4) Inspect the index.html files in a few directories as a means of
locating the web sites concerned
5) 'mv .bash_history .bash_history_old', and later mv it back

There is no ongoing access, and now that you've changed the root
password (btw, I hope you weren't silly enough to change it to the
same password you emailed me), the system is under your control again.
But you cannot be sure that the *other* people you've given root
access to didn't do the same.

ChrisA

 

[Íéêüëáïò Êïýñáò]

Ôç ÔåôÜñôç, 5 Éïõíßïõ 2013 8:47:38 ì.ì.UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

IANAL, but I don't think the DMCA has anything to do with this. (That

is to say, I don't think it would even if everything were under US

jurisdiction, which as you say isn't the case anyway.) What I did is

no more illegal than you lending your car keys to a stranger with the

request that he lock your door for you, and him then leafing through

the contents of your car and telling your spouse what he found. If

that causes your marriage to break up, the fault was with you for

having something in your car that would break up your marriage, and

for letting a stranger poke around in there.







The mails to your customers stop you from pretending to them that you

know what you're doing. That's all. Now, you may be able to come back

from this by making a public change of policy (you so far have a

declared stance that you would give out the root password to someone

else in future) and apologizing profusely to your customers, but if

you can't, that is your problem and not mine.



I was programming computers for eighteen years before I got a job

doing it. Getting money for hosting people's web sites is something

that you should see as a privilege for people who can demonstrably

provide this service safely, and should not be something you strive

for while you're learning the basics of Linux.







I can help with that convincing. No, I did not install any sort of

backdoor. There is no way you can prove that statement, but you have

my promise and pledge that your system is safe from me. All I did was:



1) Change the root password, storing the new one in a way that you could find it

2) Create the cookie file as proof of what I could do

3) Collect email addresses from /home/*/.contactemail

4) Inspect the index.html files in a few directories as a means of

locating the web sites concerned

5) 'mv .bash_history .bash_history_old', and later mv it back



There is no ongoing access, and now that you've changed the root

password (btw, I hope you weren't silly enough to change it to the

same password you emailed me), the system is under your control again.

But you cannot be sure that the *other* people you've given root

access to didn't do the same.

Every time i granted access to other folks when jobs done i alwaws 'passwd'as root to avoid unwanted access.

All customers are also my friends and they like me and trust me. I also fixtheir computers too and use "TeamViewer" many times to help them from home..

Still, all of your doing could be avoided if isntead of fiddlign with my clients, you would actually try to provide a helping had.

Anyway, i should'n have given root access to you, i was a bit worried doingso, but i was also under stress of also correcting this damn encoding issue and i wanted to think you would be the one that finally help solving it.

I was wrong. But no matter what you say i won't lose my beleif hat if for example i have given access to Steven, things could have turn into a positive solution.

You shouldnt have gone "that far", just to prove a point.
Its not that malicious activity didn't occur to me that migth happen, i just like to think that it wont.

Any way, enough said.

 

[Chris Angelico]

Anyway, i should'n have given root access to you, i was a bit worried doing so, but i was also under stress of also correcting this damn encoding issue and i wanted to think you would be the one that finally help solving it..

You shouldnt have gone "that far", just to prove a point.
Its not that malicious activity didn't occur to me that migth happen, i just like to think that it wont.

Sure, you'd like to think that nothing will ever go wrong. Trouble is,
you can't depend on that. Maybe Steven D'Aprano would have solved your
problem for you... maybe not. Maybe you would have picked someone who
totally smashed your system, reputation, bank balance, and family pet.
How would you know?

The point of security is not to trust that most people will be fine.
The point of security is to be secure. You may not be able to guard
against everything, but you can certainly put some effort into not
making it easy for an attacker.

Treat the root password as a keyring with all of your keys on it, and
assume that you're going on holidays overseas. Do you contact
strangers to ask them to feed your cat? Or do you talk to a trusted
friend?

ChrisA

 

[Íéêüëáïò Êïýñáò]

Ôç ÔåôÜñôç, 5 Éïõíßïõ 2013 9:16:56 ì.ì.UTC+3, ï ÷ñÞóôçò Chris Angelico Ýãñáøå:

Do you contact strangers to ask them to feed your cat? Or do you talk to a>trusted friend?

Well i dont consider you a perfect stranger, because we kind of know each other since we speak here sometime.

You know how much i was striving for help resolving this, and i was happy this morning thinking that Chris will fianlly put me out of this encoding misery....