httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Sutherland <ja...@cam.ac.uk>
Subject Re: better suexec control proposal
Date Wed, 16 Feb 2000 17:29:10 GMT
On Wed, 16 Feb 2000, Fabien COELHO wrote:

> 
> Hello,
> 
> > > I looked at the patch. The ability to decide on per-directory or
> > > per-server basis the user and group under which a cgi is executed looks
> > > very interesting to me, even if it does not solve my problem at hand.
> > > Indeed, I want user cgi to run under their own account, and I don't one to
> > > configure the CGIuser for every account. Also, how to disable suexec but
> > > still enabling standard cgi execution with this extension looks unclear to
> > > me. 
> > 
> > Have you considered using CGIwrap for user CGIs, and suexec for "site"
> > ones?
> 
> Sorry, I don't know what is CGIwrap. 

Basically, it's an alternative to suexec. It runs as a CGI wrapper.
Essentially, users can put their own CGIs in ~/pubic_html/cgi-bin/ and use
them via URLs like /cgi-bin/cgiwrap/username/cginame, and the CGI runs as
that user.

Obviously (provided Apache is set accordingly) users can only run their
CGIs via CGIwrap. Anything which Apache is allowed to run directly will
run via suexec or whatever you have configured for it.

> > I'm not entirely sure quite what your aims are, but that should be a
> > fairly close approximation AFAICS?
> 
> AFAICS=="As Far As I Can See", I got it this time;-) 
> 
> My problem is that I want to enable or disable suexec of cgi on a per-site
> or per-directory, or even make them mandatory. In particular I don't want
> the suexec stuff at all for sites that I control (it costs 1 fork-exec and
> it is useless), but I want it mandatory for user accounts and some other
> place. If during an apache update the suexec is lost, I don't want the
> script to run suddenly under the server account as it is the case for
> others, I wan't them all to fail.

You could do this by putting YOUR (trusted) scripts in /cgi-bin/ (or
wherever) and using them directly, and keeping all the other (untrusted)
ones in user directories or using suexec.

> The Meta-problem then is how to provide this control from apache
> configuration. The current configuration of suexec is "all or none", so
> it's definitely too basic. 

Agreed!

> I've looked at the apache source code and it looks pretty simple to add
> the functionnality, so I or even someone else (better) can do it. As I
> think it can be useful to the community, I try to suggest a debate on the
> subject to check whether "apache group leaders" think it is of interest or
> they will refuse the patch anyway because of some principle.

Well, I'm hardly a group leader, but it sounds sensible to me :)

> So the subject is "does it make sense to add control over suexec with
> some directive to enable, disable of make it mandatory on a per directory
> or per server basis". 

Yes. :-)


James.


Mime
View raw message