Loading ...
Sorry, an error occurred while loading the content.

client-server forwarding trickery

Expand Messages
  • Brutsch, Michael
    I m trying to solve a security issue with running CGIs as root. I m writing an app to remotely manage a linux box, and I d like to use SOAP. Problem is, the
    Message 1 of 9 , Apr 4, 2001
    • 0 Attachment
      I'm trying to solve a security issue with running CGIs as root. I'm
      writing an app to remotely manage a linux box, and I'd like to use SOAP.
      Problem is, the server needs to run as root (or suid scripts, or in
      *some* way have access to root privs) to perform sysadmin functions:

      Remote SOAP client <-soap-> Local SOAP server

      What I'd like to do, is place another process in-between, which has NO
      privileges, and acts as a 'forwarder' between the remote client and the
      privileged server:

      Remote SOAP client <-soap-> Local 'forwarder' <----> Local SOAP server

      This way, the only connection to the outside world is the local
      forwarder, and since it has no privs, compromising it would not
      compromise the box (i.e., buffer overflow drops you into a 'nobody'
      shell, instead of a 'root' shell).

      I have the first example working beautifully, with several transports.

      My question: Is there an easy way to code a SOAP::Lite 'client/server'
      that can sit between a client and a server, and just forward requests
      (and results) back and forth?
    • Paul Kulchenko
      Hi, Michael! Interesting question, but it seems like you don t need SOAP server that will forward requests, you just need to have simple proxy that will
      Message 2 of 9 , Apr 4, 2001
      • 0 Attachment
        Hi, Michael!

        Interesting question, but it seems like you don't need SOAP server
        that will forward requests, you just need to have simple proxy that
        will forward request to SOAP server unavailable from internet.
        Probably it would be better to do without involving two servers,
        otherwise you'll need to parse your request twice without visible
        benefits. Accept HTTP request, check SOAPAction if required (for
        better security), forward HTTP message to SOAP server, execute
        message (match SOAPAction with content of the message), send response
        back and finally forward this response to the destination. You may
        also provide several transports and ticket-based authentication, if
        http is unavailable for you for any reason, you may send your request
        by smtp or even ftp as soon as you have valid ticket. Am I missing
        something?

        Best wishes, Paul.

        --- "Brutsch, Michael" <mbrutsch@...> wrote:
        > I'm trying to solve a security issue with running CGIs as root. I'm
        >
        > writing an app to remotely manage a linux box, and I'd like to use
        > SOAP.
        > Problem is, the server needs to run as root (or suid scripts, or
        > in
        > *some* way have access to root privs) to perform sysadmin
        > functions:
        >
        > Remote SOAP client <-soap-> Local SOAP server
        >
        > What I'd like to do, is place another process in-between, which has
        > NO
        > privileges, and acts as a 'forwarder' between the remote client and
        > the
        > privileged server:
        >
        > Remote SOAP client <-soap-> Local 'forwarder' <----> Local SOAP
        > server
        >
        > This way, the only connection to the outside world is the local
        > forwarder, and since it has no privs, compromising it would not
        > compromise the box (i.e., buffer overflow drops you into a 'nobody'
        >
        > shell, instead of a 'root' shell).
        >
        > I have the first example working beautifully, with several
        > transports.
        >
        > My question: Is there an easy way to code a SOAP::Lite
        > 'client/server'
        > that can sit between a client and a server, and just forward
        > requests
        > (and results) back and forth?
        >
        > ------------------------ Yahoo! Groups Sponsor
        >
        > To unsubscribe from this group, send an email to:
        > soaplite-unsubscribe@yahoogroups.com
        >
        >
        >
        > Your use of Yahoo! Groups is subject to
        > http://docs.yahoo.com/info/terms/
        >
        >


        __________________________________________________
        Do You Yahoo!?
        Get email at your own domain with Yahoo! Mail.
        http://personal.mail.yahoo.com/
      • mbrutsch@intrusion.com
        ... response ... request ... No, you have the essence of the problem. I just don t know how to go about writing the simple proxy that will forward request to
        Message 3 of 9 , Apr 4, 2001
        • 0 Attachment
          --- In soaplite@y..., Paul Kulchenko <paulclinger@y...> wrote:
          > Hi, Michael!
          >
          > Interesting question, but it seems like you don't need SOAP server
          > that will forward requests, you just need to have simple proxy that
          > will forward request to SOAP server unavailable from internet.
          > Probably it would be better to do without involving two servers,
          > otherwise you'll need to parse your request twice without visible
          > benefits. Accept HTTP request, check SOAPAction if required (for
          > better security), forward HTTP message to SOAP server, execute
          > message (match SOAPAction with content of the message), send
          response
          > back and finally forward this response to the destination. You may
          > also provide several transports and ticket-based authentication, if
          > http is unavailable for you for any reason, you may send your
          request
          > by smtp or even ftp as soon as you have valid ticket. Am I missing
          > something?

          No, you have the essence of the problem. I just don't know how to go
          about writing the 'simple proxy that will forward request to SOAP
          server' (and forward results back to the Internet), so I wanted to
          exhaust existing methods before venturing off into unknown
          territory...next stop, Perl Monks.

          Thanks for your help!

          Michael

          >
          > Best wishes, Paul.
          >
          > --- "Brutsch, Michael" <mbrutsch@i...> wrote:
          > > I'm trying to solve a security issue with running CGIs as root.
          I'm
          > >
          > > writing an app to remotely manage a linux box, and I'd like to use
          > > SOAP.
          > > Problem is, the server needs to run as root (or suid scripts, or
          > > in
          > > *some* way have access to root privs) to perform sysadmin
          > > functions:
          > >
          > > Remote SOAP client <-soap-> Local SOAP server
          > >
          > > What I'd like to do, is place another process in-between, which
          has
          > > NO
          > > privileges, and acts as a 'forwarder' between the remote client
          and
          > > the
          > > privileged server:
          > >
          > > Remote SOAP client <-soap-> Local 'forwarder' <----> Local SOAP
          > > server
          > >
          > > This way, the only connection to the outside world is the local
          > > forwarder, and since it has no privs, compromising it would not
          > > compromise the box (i.e., buffer overflow drops you into a
          'nobody'
          > >
          > > shell, instead of a 'root' shell).
          > >
          > > I have the first example working beautifully, with several
          > > transports.
          > >
          > > My question: Is there an easy way to code a SOAP::Lite
          > > 'client/server'
          > > that can sit between a client and a server, and just forward
          > > requests
          > > (and results) back and forth?
          > >
          > > ------------------------ Yahoo! Groups Sponsor
          > >
          > > To unsubscribe from this group, send an email to:
          > > soaplite-unsubscribe@y...
          > >
          > >
          > >
          > > Your use of Yahoo! Groups is subject to
          > > http://docs.yahoo.com/info/terms/
          > >
          > >
          >
          >
          > __________________________________________________
          > Do You Yahoo!?
          > Get email at your own domain with Yahoo! Mail.
          > http://personal.mail.yahoo.com/
        • mbrutsch@intrusion.com
          I found a port forwarder in the Perl Cookbook(tm), and it seems to work well. (I run webmin on localhost:10000; if I forward 8000 to 10000, then I can access
          Message 4 of 9 , Apr 5, 2001
          • 0 Attachment
            I found a port forwarder in the Perl Cookbook(tm), and it seems to
            work well. (I run webmin on localhost:10000; if I forward 8000 to
            10000, then I can access webmin on localhost:8000). I can also make
            the SOAP c/s work perfectly, using TCP transport and port 12000. But
            if I change the client to 12001, and forward 12001 to 12000, the
            method executes on the server, but the client dies with 'Can't call
            method "result" on an undefined value'. Any thoughts?

            Thanks,
            Michael

            > > Interesting question, but it seems like you don't need SOAP server
            > > that will forward requests, you just need to have simple proxy
            > > that will forward request to SOAP server unavailable from
            > > internet.
          • Paul Kulchenko
            Hi, Michael! Usually that means that server returned fault message. You may check fault first: my $soap = SOAP::Lite - uri/proxy/etc() - method(@parameters);
            Message 5 of 9 , Apr 5, 2001
            • 0 Attachment
              Hi, Michael!

              Usually that means that server returned fault message. You may check
              fault first:

              my $soap = SOAP::Lite
              ->uri/proxy/etc()
              ->method(@parameters);

              print $soap->fault ? $soap->faultstring : $soap->result;

              You may also switch on debug on client side with

              SOAP::Lite
              ->uri(...)
              ->proxy(...)
              ->on_debug(sub{print@_})
              ....

              and you'll see both request and response with headers. If it won't
              give you any ideas about the reason, send me output, I'll take a
              look.

              Best wishes, Paul.

              --- mbrutsch@... wrote:
              > I found a port forwarder in the Perl Cookbook(tm), and it seems to
              > work well. (I run webmin on localhost:10000; if I forward 8000 to
              > 10000, then I can access webmin on localhost:8000). I can also
              > make
              > the SOAP c/s work perfectly, using TCP transport and port 12000.
              > But
              > if I change the client to 12001, and forward 12001 to 12000, the
              > method executes on the server, but the client dies with 'Can't call
              > method "result" on an undefined value'. Any thoughts?
              >
              > Thanks,
              > Michael
              >
              > > > Interesting question, but it seems like you don't need SOAP
              > server
              > > > that will forward requests, you just need to have simple proxy
              > > > that will forward request to SOAP server unavailable from
              > > > internet.
              >
              >
              > ------------------------ Yahoo! Groups Sponsor
              >
              > To unsubscribe from this group, send an email to:
              > soaplite-unsubscribe@yahoogroups.com
              >
              >
              >
              > Your use of Yahoo! Groups is subject to
              > http://docs.yahoo.com/info/terms/
              >
              >


              __________________________________________________
              Do You Yahoo!?
              Get email at your own domain with Yahoo! Mail.
              http://personal.mail.yahoo.com/
            • Brutsch, Michael
              ... Now I just get Can t call method fault on an undefined value instead. ... Tried this, no discernable change in output. ... At present, I have no output
              Message 6 of 9 , Apr 5, 2001
              • 0 Attachment
                Paul Kulchenko wrote:

                > Hi, Michael!
                >
                > Usually that means that server returned fault message. You may check
                > fault first:
                >
                > my $soap = SOAP::Lite
                > ->uri/proxy/etc()
                > ->method(@parameters);
                >
                > print $soap->fault ? $soap->faultstring : $soap->result;

                Now I just get 'Can't call method "fault" on an undefined value' instead.

                >
                > You may also switch on debug on client side with
                >
                > SOAP::Lite
                > ->uri(...)
                > ->proxy(...)
                > ->on_debug(sub{print@_})

                Tried this, no discernable change in output.

                > ....
                >
                > and you'll see both request and response with headers. If it won't
                > give you any ideas about the reason, send me output, I'll take a
                > look.

                At present, I have no output other than the error message. I could send
                you the client and server (they're just hibye.pl/cgi converted to
                Transport::TCP), but you'd need the port forwarder to break'em. :)

                Thanks,
                Michael

                >
                > Best wishes, Paul.
                >
                > --- mbrutsch@... wrote:
                >
                >> I found a port forwarder in the Perl Cookbook(tm), and it seems to
                >> work well. (I run webmin on localhost:10000; if I forward 8000 to
                >> 10000, then I can access webmin on localhost:8000). I can also
                >> make
                >> the SOAP c/s work perfectly, using TCP transport and port 12000.
                >> But
                >> if I change the client to 12001, and forward 12001 to 12000, the
                >> method executes on the server, but the client dies with 'Can't call
                >> method "result" on an undefined value'. Any thoughts?
                >>
                >> Thanks,
                >> Michael
                >>
                >>
                >>>> Interesting question, but it seems like you don't need SOAP
                >>>
                >> server
                >>
                >>>> that will forward requests, you just need to have simple proxy
                >>>> that will forward request to SOAP server unavailable from
                >>>> internet.
              • mbrutsch@intrusion.com
                Paul, I am setting up an object, like so: my $soap = SOAP::Lite - uri/proxy/etc(); my $object = $soap - call(new = parm1, = parm2) - result; Then I call a
                Message 7 of 9 , Apr 12, 2001
                • 0 Attachment
                  Paul,

                  I am setting up an object, like so:

                  my $soap = SOAP::Lite
                  ->uri/proxy/etc();

                  my $object = $soap
                  -> call(new => parm1,
                  => parm2)
                  -> result;

                  Then I call a method on that object:

                  my $result = $soap
                  -> method($object)
                  -> result;

                  $result contains the result. However, if I split the $soap->result
                  off, like so:

                  $soap
                  -> method($object);

                  my $result = $soap
                  -> result;

                  I always get '1' as a result. I'm trying to use the following line
                  you sent me last week:

                  > print $soap->fault ? $soap->faultstring : $soap->result;

                  What am I doing wrong?

                  Thanks,
                  Michael
                • Paul Kulchenko
                  Hi, Michael! While other methods for $soap object you may stack with arrow syntax (- ) because they return $soap object itself (when assigned value), method
                  Message 8 of 9 , Apr 12, 2001
                  • 0 Attachment
                    Hi, Michael!

                    While other methods for $soap object you may stack with arrow syntax
                    (->) because they return $soap object itself (when assigned value),
                    method call always returns SOAP::SOM object which gives you access to
                    the results of call:

                    my $soap = SOAP::Lite->....;
                    my $som = $soap->method(@parameters);
                    print $som->result;

                    which is the same as:

                    print $soap->method(@parameters)->result;

                    You skip assignment of result of method call, and got the wrong
                    results. Hope it helps.

                    Best wishes, Paul.

                    --- mbrutsch@... wrote:
                    > Paul,
                    >
                    > I am setting up an object, like so:
                    >
                    > my $soap = SOAP::Lite
                    > ->uri/proxy/etc();
                    >
                    > my $object = $soap
                    > -> call(new => parm1,
                    > => parm2)
                    > -> result;
                    >
                    > Then I call a method on that object:
                    >
                    > my $result = $soap
                    > -> method($object)
                    > -> result;
                    >
                    > $result contains the result. However, if I split the $soap->result
                    > off, like so:
                    >
                    > $soap
                    > -> method($object);
                    >
                    > my $result = $soap
                    > -> result;
                    >
                    > I always get '1' as a result. I'm trying to use the following line
                    > you sent me last week:
                    >
                    > > print $soap->fault ? $soap->faultstring : $soap->result;
                    >
                    > What am I doing wrong?
                    >
                    > Thanks,
                    > Michael
                    >
                    >
                    > ------------------------ Yahoo! Groups Sponsor
                    >
                    > To unsubscribe from this group, send an email to:
                    > soaplite-unsubscribe@yahoogroups.com
                    >
                    >
                    >
                    > Your use of Yahoo! Groups is subject to
                    > http://docs.yahoo.com/info/terms/
                    >
                    >


                    __________________________________________________
                    Do You Yahoo!?
                    Get email at your own domain with Yahoo! Mail.
                    http://personal.mail.yahoo.com/
                  • Michael Percy
                    Michael, As I understand it, you need to create a response object to access the ... my $soap = SOAP::Lite - proxy($proxy) - uri($uri); my $response =
                    Message 9 of 9 , Apr 12, 2001
                    • 0 Attachment
                      Michael,
                      As I understand it, you need to create a response object to access the
                      result. For example:

                      ---
                      my $soap = SOAP::Lite
                      -> proxy($proxy)
                      -> uri($uri);

                      my $response = $soap->call($method => (@args));

                      # Exit error if there is a transport problem
                      if (!ref $response) {
                      print STDERR "Error: Transport: ", $soap->transport->status, "\n";
                      exit(1);
                      }

                      # Exit error if there is an application problem
                      if ($response->fault) {
                      print STDERR "Error: ", $response->faultcode, ": ",
                      $response->faultstring, "\n";
                      print STDERR " ", $response->faultdetail, "\n";
                      exit(1);
                      }

                      # Exit success if everything goes ok
                      print $response->result;
                      exit(0);
                      ---

                      Hope that helps,
                      Mike

                      > -----Original Message-----
                      > From: mbrutsch@... [mailto:mbrutsch@...]
                      > Sent: Thursday, April 12, 2001 11:07 AM
                      > To: soaplite@yahoogroups.com
                      > Subject: [soaplite] Re: client-server forwarding trickery
                      >
                      >
                      > Paul,
                      >
                      > I am setting up an object, like so:
                      >
                      > my $soap = SOAP::Lite
                      > ->uri/proxy/etc();
                      >
                      > my $object = $soap
                      > -> call(new => parm1,
                      > => parm2)
                      > -> result;
                      >
                      > Then I call a method on that object:
                      >
                      > my $result = $soap
                      > -> method($object)
                      > -> result;
                      >
                      > $result contains the result. However, if I split the $soap->result
                      > off, like so:
                      >
                      > $soap
                      > -> method($object);
                      >
                      > my $result = $soap
                      > -> result;
                      >
                      > I always get '1' as a result. I'm trying to use the following line
                      > you sent me last week:
                      >
                      > > print $soap->fault ? $soap->faultstring : $soap->result;
                      >
                      > What am I doing wrong?
                      >
                      > Thanks,
                      > Michael
                      >
                      >
                      > ------------------------ Yahoo! Groups Sponsor
                      > ---------------------~-~>
                      > Find software faster. Search more than 20,000
                      > software solutions on KnowledgeStorm. Register
                      > now and get started.
                      > http://us.click.yahoo.com/HTDXJD/uMSCAA/zf4EAA/WNqXlB/TM
                      > --------------------------------------------------------------
                      > -------_->
                      >
                      > To unsubscribe from this group, send an email to:
                      > soaplite-unsubscribe@yahoogroups.com
                      >
                      >
                      >
                      > Your use of Yahoo! Groups is subject to
                      http://docs.yahoo.com/info/terms/
                    Your message has been successfully submitted and would be delivered to recipients shortly.