Apache and suexec issue that wont let me run my python script

Wed Jun 5 13:47:38 EDT 2013

On Thu, Jun 6, 2013 at 3:29 AM, Νικόλαος Κούρας <nikos.gr33k at gmail.com> wrote:
> Now about what you did to me. I wanted to tell you that I (and I am sure there are other people too) don't agree with what you did. I think it was pretty rotten -- you told me it was a bad idea to give out the root password and that was as far as you should have gone, you had no right to "prove" it by screwing with my system.
>
> In the US there is a law called the DMCA which I think would make what
> you did illegal, even though i have you a password, because i
> clearly gave you access to help me fix a problem, not to do what you
> did. Of course US law doesn't help in this case since you i live in Greece and you live in Australia...

IANAL, but I don't think the DMCA has anything to do with this. (That
is to say, I don't think it would even if everything were under US
jurisdiction, which as you say isn't the case anyway.) What I did is
no more illegal than you lending your car keys to a stranger with the
request that he lock your door for you, and him then leafing through
the contents of your car and telling your spouse what he found. If
that causes your marriage to break up, the fault was with you for
having something in your car that would break up your marriage, and
for letting a stranger poke around in there.

> I still maintain my belief that most people are good and want to help
> rather than be destructive(which to your defense you weren't entirely. The mails you sent to my few customers though really pissed me off).

The mails to your customers stop you from pretending to them that you
know what you're doing. That's all. Now, you may be able to come back
from this by making a public change of policy (you so far have a
declared stance that you would give out the root password to someone
else in future) and apologizing profusely to your customers, but if
you can't, that is your problem and not mine.

I was programming computers for eighteen years before I got a job
doing it. Getting money for hosting people's web sites is something
that you should see as a privilege for people who can demonstrably
provide this service safely, and should not be something you strive
for while you're learning the basics of Linux.

> And of course, i have no idea, if you ahve installed some kind of a backdoor utility that will grant you shell access via ssh to my system.
> I want to convince myself that you haven't done so.

I can help with that convincing. No, I did not install any sort of
backdoor. There is no way you can prove that statement, but you have
my promise and pledge that your system is safe from me. All I did was:

1) Change the root password, storing the new one in a way that you could find it
2) Create the cookie file as proof of what I could do
3) Collect email addresses from /home/*/.contactemail
4) Inspect the index.html files in a few directories as a means of
locating the web sites concerned
5) 'mv .bash_history .bash_history_old', and later mv it back

There is no ongoing access, and now that you've changed the root
password (btw, I hope you weren't silly enough to change it to the
same password you emailed me), the system is under your control again.
 But you cannot be sure that the *other* people you've given root
access to didn't do the same.

ChrisA