Received: by taz.hyperreal.com (8.6.12/8.6.5) id NAA17285;
 Mon, 1 Jul 1996 13:48:08 -0700
Received: from irene.pcug.co.uk by taz.hyperreal.com (8.6.12/8.6.5) with SMTP
 id NAA17280; Mon, 1 Jul 1996 13:48:03 -0700
Message-Id: <199607012048.NAA17280@taz.hyperreal.com>
Received: from us1.imdb.com by irene.pcug.co.uk id aa21785; 1 Jul 96 21:47 BST
Subject: Apache Suggestion (fwd)
To: apache <new-httpd@apache.org>
Date: Mon, 1 Jul 1996 15:47:48 -0500 (CDT)
From: Rob Hartill <robh@imdb.com>
Organization: Internet Movie Database http://us.imdb.com/
X-Mailer: ELM [version 2.4 PL24 ME8a]
Content-Type: text
Content-Length: 8255      
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com


One of the setuid fans out ther might want to ack this one..


-=-=-=


Date: Mon, 1 Jul 1996 11:29:35 -0700 ()
From: Jim Fox <fox@u.washington.edu>
To: apache-bugs@mail.apache.org
Cc: fox@u.washington.edu
Subject: Apache Suggestion
Message-Id: <Pine.WNT.3.93.960701105153.-891233H-102000@tao.cac.washington.edu>
X-Sender: fox@franklin01.u.washington.edu
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="266996290-20949-836245775=:-891233"
Content-Id: <Pine.WNT.3.93.960701105153.-891233I@tao.cac.washington.edu>

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--266996290-20949-836245775=:-891233
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.WNT.3.93.960701105153.-891233J@tao.cac.washington.edu>


Apache folks,

This is a suggestion for improvement rather than a bug report,
but the bug report address is the only one I could find.

We have about 60,000 uncontrollable users at the University of
Washington, about 6,000 of them have web pages.  It isn't feasible
for us to police their cgi scripts, so we find it very convenient
to run cgi scripts setuid and setgid to the script owner.

The two attachments to this message show how it's done.

I've gotten several requests for this modification from other 
universities so I thought I'd see if you would consider
incorporating it into the general release.

Thanks,

Jim Fox
University of Washington

-------------------------

Following are the instructions I give out to other people
wanting to install the mod.



Attached to this message are two files:

1) the mods to 'mod_cgi.c', only a couple, and

2) the source to 'asuser'

Steps to install this are roughly as follows.

(This is for the 1.0.5 version of apache)

1) Create a "www" group, but leave it empty.

2) Build the asuser program and install it in /usr/local/etc
   Set permissions like this:

      chown root.www asuser
      chmod 4750 asuser

   This prevents anyone except 'www' to access the program.

3) Set your httpd.conf group setting to:

      Group www


4) Make the changes to 'mod_cgi.c' and install run the
   new server.  Whenever cgi scripts are encountered the server
   will run asuser instead.  Asuser checks for the propriety
   of the request, switches gid and uid, and runs the script.


Jim Fox


--266996290-20949-836245775=:-891233
Content-Type: APPLICATION/OCTET-STREAM; NAME="mod_cgi.uwdiff"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.WNT.3.93.960701104414.-891233F@tao.cac.washington.edu>
Content-Description: Mods to mod_cgi for asuser

IyBkaWZmIG1vZF9jZ2kuYyAvdXgwMS9mb3gvc3JjL21vZF9jZ2kuYy5kaXN0
Cgo3Nyw3OGQ3Ngo8IGNoYXIgYXN1c2VycGF0aFtdID0gIi91c3IvbG9jYWwv
ZXRjL2FzdXNlciI7CjwgCjE5MWMxODkKPCAgICAgICAgIGV4ZWNsZShhc3Vz
ZXJwYXRoLCByLT5maWxlbmFtZSwgTlVMTCwgZW52KTsKLS0tCj4gICAgICAg
ICBleGVjbGUoci0+ZmlsZW5hbWUsIGFyZ3YwLCBOVUxMLCBlbnYpOwoxOTNj
MTkxCjwgICAgICAgICBleGVjdmUoYXN1c2VycGF0aCwgY3JlYXRlX2FyZ3Yo
ci0+cG9vbCwgci0+ZmlsZW5hbWUsIHItPmFyZ3MpLCBlbnYpOwotLS0KPiAg
ICAgICAgIGV4ZWN2ZShyLT5maWxlbmFtZSwgY3JlYXRlX2FyZ3Yoci0+cG9v
bCwgYXJndjAsIHItPmFyZ3MpLCBlbnYpOwoK
--266996290-20949-836245775=:-891233
Content-Type: APPLICATION/OCTET-STREAM; NAME="asuser.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.WNT.3.93.960701104414.-891233G@tao.cac.washington.edu>
Content-Description: asuser.c

LyogVG9vbCBmb3IgaHR0cGQgdG8gcnVuIGEgc2NyaXB0IGFzIGl0cyBvd25l
ci4KICAKICAgcmVxdWlyZXMgYWxsIGRpcnMgaW4gdGhlIHBhdGggdG8gYmUg
b3duZWQgYnkgc2FtZSB1c2VyLgoKICAgYXJnIGlzIHByb2dyYW0gdG8gcnVu
ICAqLwoKI2luY2x1ZGUgPHN0cmluZ3MuaD4KI2luY2x1ZGUgPHN0ZGlvLmg+
CiNpZmRlZiB1bHRyaXgKI2luY2x1ZGUgPHN5cy90eXBlcy5oPgojaW5jbHVk
ZSA8c3lzL3RpbWUuaD4KI2VuZGlmCiNpbmNsdWRlIDxzeXMvc3RhdC5oPgoj
aWZuZGVmIHVsdHJpeAojaW5jbHVkZSA8c3lzL21vZGUuaD4KI2VuZGlmCiNp
bmNsdWRlIDxzeXMvcmVzb3VyY2UuaD4KI2luY2x1ZGUgPGdycC5oPgoKI2lm
bmRlZiBTX0lGUkVHCiNkZWZpbmUgU19JRlJFRyAgMDEwMDAwMCAKI2RlZmlu
ZSBTX0lGQ0hSICAwMDIwMDAwCiNlbmRpZgoKbWFpbihhcmdjLCBhcmd2LCBl
bnYpCmludCBhcmdjOwpjaGFyICoqYXJndjsKY2hhciAqKmVudjsKewogICBz
dHJ1Y3Qgc3RhdCBmczsKICAgY2hhciAqcHJvZyA9IGFyZ3ZbMF07CiAgIGNo
YXIgKmFyZzA7CiAgIGludCBvd25yID0gMDsKICAgY2hhciAqczsKICAgaW50
IGY7CiAgIHN0cnVjdCBncm91cCAqZ3JwOwoKICAgaWYgKGFyZ2M8MSkgewog
ICAgICBmcHJpbnRmKHN0ZGVyciwiJXM6ICIscHJvZyk7CiAgICAgIGZwcmlu
dGYoc3RkZXJyLCJub3QgMiBhcmdzXG4iKTsKICAgICAgZXJyX2V4aXQoMSk7
CiAgIH0KCiAgIGlmIChhcmcwPXN0cnJjaHIoYXJndlswXSwnLycpKSBhcmd2
WzBdID0gKythcmcwOwogICAKICAgaWYgKCpwcm9nIT0nLycpIHsKICAgICAg
ZnByaW50ZihzdGRlcnIsIiVzOiAiLHByb2cpOwogICAgICBmcHJpbnRmKHN0
ZGVyciwiYmFkIHBhdGhcbiIpOwogICAgICBlcnJfZXhpdCgyKTsKICAgfQoK
ICAgLyogY2hlY2sgdGhlIHBhdGggZm9yIGNvbnNpc3RhbnQgb3duZXJzaGlw
IGFuZCBuby1saW5rcyAqLwoKICAgZm9yIChzPXN0cmNocihwcm9nKzEsJy8n
KTtzOypzKys9Jy8nLHM9c3RyY2hyKHMsJy8nKSkgewogICAgICAqcyA9ICdc
MCc7CiAgICAgIGlmIChsc3RhdChwcm9nLCZmcykpIHsKICAgICAgICAgZnBy
aW50ZihzdGRlcnIsIiVzOiAiLHByb2cpOwogICAgICAgICBwZXJyb3IoImxz
dGF0Iik7CiAgICAgICAgIGVycl9leGl0KDMpOwogICAgICB9CiAgICAgIGlm
IChvd25yJiZmcy5zdF91aWQmJihvd25yIT1mcy5zdF91aWQpKSB7CiAgICAg
ICAgIGZwcmludGYoc3RkZXJyLCIlczogIixwcm9nKTsKICAgICAgICAgZnBy
aW50ZihzdGRlcnIsImluY29uc2lzdGFudCBzY3JpcHQgcGF0aCBvd25lcnNo
aXBcbiIpOwogICAgICAgICBlcnJfZXhpdCg0KTsKICAgICAgfQogICAgICBv
d25yID0gZnMuc3RfdWlkOwogICAgICBpZiAob3duciAmJiAoZnMuc3RfbW9k
ZSZTX0lGUkVHKSAmJiAoZnMuc3RfbW9kZSZTX0lGQ0hSKSkgewogICAgICAg
ICBmcHJpbnRmKHN0ZGVyciwiJXM6ICIscHJvZyk7CiAgICAgICAgIGZwcmlu
dGYoc3RkZXJyLCJzeW1ib2xpYyBsaW5rcyBub3QgYWxsb3dlZCBpbiBzY3Jp
cHQgcGF0aFxuIik7CiAgICAgICAgIGVycl9leGl0KDUpOwogICAgICB9CiAg
IH0KCiAgIGlmIChsc3RhdChwcm9nLCZmcykpIHsKICAgICAgZnByaW50Zihz
dGRlcnIsIiVzOiAiLHByb2cpOwogICAgICBwZXJyb3IoInN0YXQiKTsKICAg
ICAgZXJyX2V4aXQoNik7CiAgIH0KICAgaWYgKChmcy5zdF9tb2RlJlNfSUZS
RUcpICYmIChmcy5zdF9tb2RlJlNfSUZDSFIpKSB7CiAgICAgIGZwcmludGYo
c3RkZXJyLCIlczogIixwcm9nKTsKICAgICAgZnByaW50ZihzdGRlcnIsInN5
bWJvbGljIGxpbmtzIG5vdCBhbGxvd2VkIGluIHNjcmlwdCBwYXRoXG4iKTsK
ICAgICAgZXJyX2V4aXQoNyk7CiAgIH0KICAgaWYgKG93bnIgJiYgKG93bnIh
PWZzLnN0X3VpZCkpIHsKICAgICAgZnByaW50ZihzdGRlcnIsIiVzOiAiLHBy
b2cpOwogICAgICBmcHJpbnRmKHN0ZGVyciwiaW5jb25zaXN0YW50IHNjcmlw
dCBwYXRoIG93bmVyc2hpcFxuIik7CiAgICAgIGVycl9leGl0KDgpOwogICB9
CgogICBzZXRwcmlvcml0eShQUklPX1BST0NFU1MsIDAsIDIpOwoKICAgaWYg
KGZzLnN0X3VpZD4xMDApIHsgICAgICAgICAgICAgICAgLyogdXNlciBzY3Jp
cHQgKi8KICAgCiAgICAgIGlmICgoZ3JwPWdldGdybmFtKCJ3d3ciKSkgJiYK
ICAgICAgICAgIChncnAtPmdyX2dpZCE9ZnMuc3RfZ2lkKSkgewogICAgICAg
ICBpZiAoc2V0Z3JvdXBzKDEsJmZzLnN0X2dpZCkpIHsKICAgICAgICAgICAg
ZnByaW50ZihzdGRlcnIsIiVzOiAiLHByb2cpOwogICAgICAgICAgICBwZXJy
b3IoInNldGdyb3VwcyIpOwogICAgICAgICAgICBlcnJfZXhpdCgxMCk7CiAg
ICAgICAgIH0KICAgICAgICAgaWYgKHNldGdpZChmcy5zdF9naWQpKSB7CiAg
ICAgICAgICAgIGZwcmludGYoc3RkZXJyLCIlczogIixwcm9nKTsKICAgICAg
ICAgICAgcGVycm9yKCJzZXRnaWQiKTsKICAgICAgICAgICAgZXJyX2V4aXQo
MTApOwogICAgICAgICB9CiAgICAgIH0KICAgICAgaWYgKHNldHVpZChmcy5z
dF91aWQpKSB7CiAgICAgICAgIGZwcmludGYoc3RkZXJyLCIlczogIixwcm9n
KTsKICAgICAgICAgcGVycm9yKCJzZXR1aWQiKTsKICAgICAgICAgZXJyX2V4
aXQoMTEpOwogICAgICB9CiAgIAogICB9IGVsc2UgeyAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAvKiBzeXN0ZW0gc2NyaXB0ICovCgogICAgICBpZiAo
c2V0ZWdpZChnZXRnaWQoKSkpIHsKICAgICAgICAgZnByaW50ZihzdGRlcnIs
IiVzOiAiLHByb2cpOwogICAgICAgICBwZXJyb3IoInNldGdpZChnZXRnaWQp
Iik7CiAgICAgICAgIGVycl9leGl0KDEyKTsKICAgICAgfQogICAgICBpZiAo
c2V0ZXVpZChnZXR1aWQoKSkpIHsKICAgICAgICAgZnByaW50ZihzdGRlcnIs
IiVzOiAiLHByb2cpOwogICAgICAgICBwZXJyb3IoInNldHVpZChnZXR1aWQp
Iik7CiAgICAgICAgIGVycl9leGl0KDEzKTsKICAgICAgfQoKICAgfQogICAK
ICAgZm9yIChmPTI7Zjw1MTI7ZisrKSBjbG9zZShmKTsKICAgZHVwMigxLDIp
OwogICBleGVjdmUocHJvZywgYXJndiwgZW52KTsKICAgZnByaW50ZihzdGRl
cnIsIiVzOiAiLHByb2cpOwogICBwZXJyb3IoImV4ZWN2ZSIpOwogICBlcnJf
ZXhpdCgxMik7Cn0KCmVycl9leGl0KGUpCmludCBlOwp7CiAgIGZwcmludGYo
c3RkZXJyLCJlcnJfZXhpdCwgY29kZSAlZFxuIixlKTsKICAgcHJpbnRmKCJD
b250ZW50LXR5cGU6IHRleHQvcGxhaW5cblxuIik7CiAgIHByaW50ZigiU29y
cnksIHRoZSBmdW5jdGlvbiB5b3UgcmVxdWVzdGVkIGlzIG5vdCBjb25maWd1
cmVkIGNvcnJlY3RseVxuIik7CiAgIHByaW50ZigiICAgICAgIGFuZCBjYW5u
b3QgYmUgcnVuLiAoJWQpXG4iLGUpOwogICBleGl0ICgxKTsKfQo=
--266996290-20949-836245775=:-891233--
----- End of forwarded message from Jim Fox -----

-- 
Rob Hartill (robh@imdb.com)
The Internet Movie Database (IMDb)  http://www.imdb.com/
           ...more movie info than you can poke a stick at.