Users on the machine:
- I am (logged in as) User1
- there is a User2 on this machine
- and also a root-user off course
say I
- “netstat -tulpne” - so give user information about server running processes
- I see a (php)webserver owned/executed by User 0 (root)
- I can alter/write the php files this webserver executes
What I am wondering:
- say I write a php file containing "shell_exec(‘whoami’);
- I (User1) owns both the directory and webpages the webserver runs (the php files)
- I (User1) run this file
- I execute this code (using curl ) through the webserver, executed by root
- but if I run this code, it outputs “User2”
So basically: how is it possible that if something is executed by root, initiated by User1, that the above code then returns “User2”? I’m very much interested and eager to understanding the mechanics of this and how it is set up. All hints are appreciated.
Is this windows or linux? I don’t know much about linux but on windows none of these things you listed will have any effect on what user the website is running as (and therefore what you get from whoami) :
I (User1) owns both the directory and webpages the webserver runs (the php files)
I (User1) run this file
I execute this code (using curl ) through the webserver, executed by root
The only things that will affect it are:
-
What user account the web server is set to run as. So either what account the service itself is set to log on as, or if its something like IIS that supports different accounts running different websites then its just the account that was configured to run that site.
-
If the site is configured to support windows authentication and is allowed to impersonate the user viewing the site, that might affect what user you get from whoami as it might say whatever user you’re using to view the site
In your case it sounds much more like number 1. I’d imagine on linux things still work pretty similarly, but I might be wrong.
I am not a linux guru in any way but I think VbScrub is right, I think it is very similar in linux.
The term you are looking for is “dropping privileges”.
In order to listen on any port <1024 under Linux, you need root privileges. Since, for security reasons, you don’t want your web server to run as root, the server will bind to e.g. port 80 as root, then fork a child process where the program performs a setuid() to switch to another user. Only after that switch, it starts actually listening and accepting connections on that port, so that only the unprivileged child process/thread will serve the requests (and thus execute commands).
Is this windows or linux? I don’t know much about linux but on windows none of these things you listed will have any effect on what user the website is running as (and therefore what you get from whoami) :
…
- What user account the web server is set to run as. So either what account the service itself is set to log on as, or if its something like IIS that supports different accounts running different websites then its just the account that was configured to run that site.
…
Big thanks vbScrub! It was actually Linux, but it seems the same mechanism. Thanks for the patient and informative reply!
@Radiance said:
I am not a linux guru in any way but I think VbScrub is right, I think it is very similar in linux.
You uys were both right. Thanks man for the reply and best of luck on your journey here!
@HomeSen said:
The term you are looking for is “dropping privileges”.
In order to listen on any port <1024 under Linux, you need root privileges. Since, for security reasons, you don’t want your web server to run as root, the server will bind to e.g. port 80 as root, then fork a child process where the program performs a setuid() to switch to another user. Only after that switch, it starts actually listening and accepting connections on that port, so that only the unprivileged child process/thread will serve the requests (and thus execute commands).
This lead me to awesome reads and makes it totally clear. Enourmous thanks HomeSan!