Apache and suexec issue that wont let me run my python script

Wed Jun 5 12:33:50 EDT 2013

On Wed, Jun 5, 2013 at 9:19 PM, Νικόλαος Κούρας <nikos.gr33k at gmail.com> wrote:
> Τη Τετάρτη, 5 Ιουνίου 2013 2:14:34 μ.μ. UTC+3, ο χρήστης Heiko Wundram έγραψε:
>> Am 05.06.2013 13:07, schrieb οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½:
>>
>> >Btw, since history doesnt show me his history comamnds when he logged in
>> >from .au(why not really?), how can i tell what exactly did he do when he
>> >logged on to the server?
>
>> As root has full access to your system (i.e., can change file contents
>> and system state at will), and you gave him root access: you can't. And
>> he made sure to remove things such as .bash_history and the syslog
>> contents, I guess. At least that's what I'd have done to prove a point.

In fact, I didn't even bother fiddling with syslog. All I did was
.bash_history. Of course, I wasn't worried about you getting my IP
addresses (one of them is public anyway, and the other isn't mine any
longer than I'm using it), and nothing I did there was sufficiently
serious to be worth hiding, but I just did the history so I could
point out how easy this is.

> I see. Thanks.
> Is there some logging utility i can use next time iam offering root access to someone(if i do it) or perhaps logging a normal's account activity?

You could log a normal user fairly easily, because root trumps normal
users. To log root access, there are a few options:

1) Don't actually give unrestricted roots, but require the use of
sudo, which logs. Not 100% perfect unless you actually restrict the
commands that can be executed, but it'd at least let you have some
idea that things were tampered with.

2) Provide a special bouncer. This is a little complex to describe, so
bear with me. Imagine you have *two* computers, WebHost and Bouncer.
You want to give root access to WebHost, so you invite someone to ssh
to webroot at bouncer - the shell of that user establishes a secondary
connection to root at webhost and passes everything on, but also logs it.
Since *no* access to Bouncer has been granted, the logs can't be
tampered with. This can be complicated to set up and secure, but it's
certainly possible. However, I think it is beyond your ability, at
least at the moment.

3) Provide a hacked-up root shell that logs to a network location, and
disable all other shell usage. Imperfect but would probably work.

4) Require that all root shell access be done through screen/tmux, and
monitor it.

You can probably think of a few others, too.

ChrisA