Author Topic: bash script exceuted correctly python script gets Operation not permitted  (Read 2125 times)

Offline MarcoBazzani

  • New user
  • *
  • Posts: 6
    • View Profile
this is the situation
I have modexec with this conf:

Code: [Select]
   LoadModule mod_exec.c
   ExecEngine on
   ExecLog /var/log/proftpd/exec.log
   ExecOnCommand APPE,STOR /var/lib/proftpd/upload.py %u %f

And I got
Code: [Select]
Oct 24 16:29:01 mod_exec/0.9.9[2230]: preparing to execute '/var/lib/proftpd/upload.py' with uid 700 (euid 700), gid 700 (egid 700)
Oct 24 16:29:01 mod_exec/0.9.9[2230]:  + '/var/lib/proftpd/upload.py': argv[1] = test
Oct 24 16:29:01 mod_exec/0.9.9[2230]:  + '/var/lib/proftpd/upload.py': argv[2] = /test.sh
Oct 24 16:29:01 mod_exec/0.9.9[2230]: STOR ExecOnCommand '/var/lib/proftpd/upload.py' failed: Operation not permitted
while if I put a bash script which wraps the python script like this:
Code: [Select]
#!/bin/bash

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
$DIR/upload.py $*

Everything works fine:
Code: [Select]
Oct 24 17:20:44 mod_exec/0.9.9[2751]: preparing to execute '/var/lib/proftpd/wrapper_upload.sh' with uid 700 (euid 700), gid 700 (egid 700)
Oct 24 17:20:44 mod_exec/0.9.9[2751]:  + '/var/lib/proftpd/wrapper_upload.sh': argv[1] = test
Oct 24 17:20:44 mod_exec/0.9.9[2751]:  + '/var/lib/proftpd/wrapper_upload.sh': argv[2] = /test.sh
Oct 24 17:20:44 mod_exec/0.9.9[2751]: STOR ExecOnCommand '/var/lib/proftpd/wrapper_upload.sh' succeeded

permissions:

Code: [Select]
[root@dmz01 ~]# ls /var/lib/proftpd/*upload* -al
-rwxr-xr-x. 1 root root 506 Oct 24 17:20 /var/lib/proftpd/upload.py
-rwxr-xr-x. 1 root root  88 Oct 24 17:31 /var/lib/proftpd/wrapper_upload.sh

What I'm doing wrong ?

same script executed from user with uid/gid 700 works fine


full config file:

Code: [Select]
ServerName "ProFTPD server"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
DefaultServer on

VRootEngine on
DefaultRoot ~ !adm
VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf

AuthPAMConfig proftpd
AuthOrder mod_auth_file.c

UseReverseDNS off

User    nobody
Group nobody

MaxInstances 200

UseSendfile off

LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"

AuthUserFile  /var/lib/proftpd/ftpd.passwd

   LoadModule mod_exec.c
ExecEngine on
ExecLog /var/log/proftpd/exec.log
        ExecOnCommand APPE,STOR /var/lib/proftpd/wrapper_upload.sh %u %f

   LoadModule mod_sftp.c
   Port 2222
   SFTPEngine      On
   SFTPHostKey /etc/ssh/ssh_host_rsa_key
   SFTPClientMatch "WS_FTP" channelWindowSize 1GB

<IfDefine TLS>
  TLSEngine on
  TLSRequired on
  TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite ALL:!ADH:!DES
  TLSOptions NoCertRequest
  TLSVerifyClient off
  #TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
  TLSLog /var/log/proftpd/tls.log
  <IfModule mod_tls_shmcache.c>
    TLSSessionCache shm:/file=/var/run/proftpd/sesscache
  </IfModule>
</IfDefine>

<IfDefine DYNAMIC_BAN_LISTS>
  LoadModule mod_ban.c
  BanEngine on
  BanLog /var/log/proftpd/ban.log
  BanTable /var/run/proftpd/ban.tab

  BanOnEvent MaxLoginAttempts 2/00:10:00 01:00:00

  BanControlsACLs all allow user ftpadm
</IfDefine>

<Global>

  Umask 002

  AllowOverwrite yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>

</Global>

<IfDefine ANONYMOUS_FTP>
  <Anonymous ~ftp>
    User ftp
    Group ftp
    AccessGrantMsg "Anonymous login ok, restrictions apply."

    UserAlias anonymous ftp

    MaxClients 10 "Sorry, max %m users -- try again later"

    DisplayLogin /welcome.msg
    DisplayChdir .message
    DisplayReadme README*

    DirFakeUser on ftp
    DirFakeGroup on ftp

    <Limit WRITE SITE_CHMOD>
      DenyAll
    </Limit>

    <Directory uploads/*>
      AllowOverwrite no
      <Limit READ>
        DenyAll
      </Limit>

      <Limit STOR>
        AllowAll
      </Limit>
    </Directory>

    WtmpLog off

    ExtendedLog /var/log/proftpd/access.log WRITE,READ default
    ExtendedLog /var/log/proftpd/auth.log AUTH auth

  </Anonymous>
</IfDefine>




Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
What does the first line of your Python script look like?  The mod_exec module executes scripts using the execve(2) system call.  This call expects that the executed file, if it is to be run by an intrepreter, have as the first line something like:

  #!/path/to/python

This is quite similar to your bash script workaround.

Offline MarcoBazzani

  • New user
  • *
  • Posts: 6
    • View Profile
this is my python script

Code: [Select]
(reverse-i-search)`vim': ^Cm /etc/proftpd.conf
[root@dmz01 ~]# vim /var/lib/proftpd/upload.py

#!/usr/bin/python

from sys import argv
import time

ftp_root_dir = '/inbound/'
logbasepath = '/home/jboss/logs/uploaded_files_'


user = argv[1]
error_code = '0'
date = time.strftime('%Y-%m-%d')
clock = time.strftime('%H:%M:%S')
filepath = ftp_root_dir + user + argv[2]
logdate = time.strftime('%y%m%d')
logfile = logbasepath + logdate + '.log'

logline =  '%s|%s|%s|%s|%s\n' % ( user, error_code, date, clock, filepath)

log = open(logfile, 'a')
log.write(logline)
log.close()

Offline MarcoBazzani

  • New user
  • *
  • Posts: 6
    • View Profile
this is the debug output of proftpd

Code: [Select]
10.228.2.68 (::1[::1]) - dispatching POST_CMD command 'STOR /test.sh' to mod_exec
10.228.2.68 (::1[::1]) - REVOKE PRIVS at mod_exec.c:492
10.228.2.68 (::1[::1]) - REVOKE PRIVS: unable to seteuid(): Operation not permitted
10.228.2.68 (::1[::1]) - dispatching LOG_CMD command 'STOR /test.sh' to mod_log

Offline MarcoBazzani

  • New user
  • *
  • Posts: 6
    • View Profile
the script starts with #!/usr/bin/python

the first 2 lines in the prevous post was a wrong cut&paste

Offline MarcoBazzani

  • New user
  • *
  • Posts: 6
    • View Profile
any clue ?

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5373
    • View Profile
    • http://www.castaglia.org/
Another possibility is that the Python script (when run directly) exits with a non-zero return value.  You might test this by adding an explicit return value, e.g.:
Code: [Select]
  import sys
  ...
  sys.exit(0)
I.e. make the sys.exit() call as the very last line in the script.

If this works, it suggests that your log.close() function was not succeeding as you might expect...

Offline MarcoBazzani

  • New user
  • *
  • Posts: 6
    • View Profile
Re: bash script exceuted correctly python script gets Operation not permitted
« Reply #7 on: November 21, 2015, 03:34:38 pm »
it's not executed at all otherwise I will get the line written on the file.