search

xwmario / rutorrent

Automatically exported from code.google.com/p/rutorrent
0 stars 0 forks source link

Buggy invocation of id #751

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Add system.set.umask = 0775 to .rutorrent.rc (optional, but in my case 
adding this line did cause the error to occur; it stopped if I removed it)
2. Load any rutorrent page
3.

What is the expected output? What do you see instead?
Things work, mostly, but I get an error that the rtorrent user can't run 'id'

What environment are you using?
1. My ruTorrent version is... 3.4
2. My rTorrent version is... 0.9.2
3. I use web-server... it version is... on OS... Apache 2.4 on Slackware 
13.37-current
4. I use browser... it version is... on OS... NA

Are some errors present in the web-server log?
No.

Are some errors present in the browser error console?
No.

Please provide any additional information below.
This block of code (in settings.php) is incredibly ugly and stupid:
$randName = uniqid("/tmp/rutorrent-stats-".rand());
$id = getExternal('id');
$req = new rXMLRPCRequest(
new rXMLRPCCommand("execute",array("sh","-c",$id." -u > ".$randName." ; ".$id." 
-G >> ".$randName." ; echo ~ >> ".$randName." ; chmod 0644 ".$randName)));
if($req->run() && !$req->fault && (($line=file($randName))!==false) && 
(count($line)>2)) {
    $this->uid = intval(trim($line[0]));
    $this->gid = explode(' ',trim($line[1]));
    $this->home = trim($line[2]);
if(!empty($this->directory) &&
($this->directory[0]=='~'))
$this->directory = $this->home.substr($this->directory,1);  
$req = new rXMLRPCRequest(new rXMLRPCCommand( "execute", array("rm",$randName) 
));
$req->run();

====================

We are running in local mode -- so why bother with RPC and all that nonsense? 
If we're accessing a local instance, it makes more sense to do something like 
this:
$this->uid = posix_getuid();
$tmp = posix_getpwuid(posix_getuid());
$this->home = $tmp['dir'];
$this->gid = exec('id -G');
if(!empty($this->directory) && ($this->directory[0]=='~'))
    $this->directory = $this->home.substr($this->directory,1);

Original issue reported on code.google.com by damntras...@gmail.com on 29 Jun 2012 at 2:26

GoogleCodeExporter commented 8 years ago 
>posix_getuid();
>$tmp = posix_getpwuid

1) This functions are absent in the most of php configurations.
2) Your code is wrong. $this->uid must contain uid of *rtorrent* user. In your 
code it contain uid of web user. Same for $this->home and $this->gid.

>Add system.set.umask = 0775

rtorrent and web users must have read/write access to files in /share. As 
result - remove umask or place users to the same group.

Original comment by novik65 on 29 Jun 2012 at 3:22

GoogleCodeExporter commented 8 years ago 
You're right about the respective users -- my mistake.

But you can replace posix_getuid() with an XML RPC call which *returns* the 
user ID or name, instead of doing that awful temp file mess -- if I understand 
the code correctly, rXMLRPCRequest->run will return the return value of the 
function called, so you could make a system call from rtorrent which determines 
the user ID, and then call $posix_getpwuid($uid) from the result.

Original comment by damntras...@gmail.com on 1 Jul 2012 at 5:02

GoogleCodeExporter commented 8 years ago 
1) Yet once. POSIX-like functions are disabled on a lot of seedboxes.
2) Main question: For which reason? "If it is working - don't touch it".

Original comment by novik65 on 1 Jul 2012 at 6:06

GoogleCodeExporter commented 8 years ago 
If those seedboxes are disabling POSIX functionality for security, why can we 
assume they allow command line access -- especially command line access which 
allows us to create files and gives us access to system utilities?

Further more, not all systems come with a compliant 'id' which supports the -G 
flag, so even if we can invoke 'id', there's no guarantee it will do what we 
need.

So to put this another way, it works assuming that you have shell access and a 
working 'id' program -- but if we want to turn those assumptions into 
'requirements', it makes much more sense to simply require that getuid() be 
callable by the rtorrent program.

Original comment by damntras...@gmail.com on 3 Jul 2012 at 12:05

GoogleCodeExporter commented 8 years ago 
>If those seedboxes are disabling POSIX functionality for security, why can we 
assume they allow command line access -- especially command line access which 
allows us to create files and gives us access to system utilities?

This is a simple. Because this is a true. 

>Further more, not all systems come with a compliant 'id' which supports the -G 
flag

Not all. Simple most of its.

As result: 1) I disagree with you 2) if you want to continue, please, use right 
place for this. For example - forum.

Original comment by novik65 on 3 Jul 2012 at 6:04

GoogleCodeExporter commented 8 years ago 
Just wanted to post a comment in case people here are encountering the same 
issue.

The real problem here is that umask is NOT the same as file permissions.  A 
umask value of 775 (like the bug creator made) basically gives you NO 
PERMISSIONS.  Try setting umask to something sensible like 002, and you will 
see this error go away.

For more information, read the man page for umask.

Original comment by lukew...@gmail.com on 26 Feb 2013 at 11:09