httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Mahoney, System Admin" <d...@prime.gushi.org>
Subject Re: [users@httpd] CGI via suexec
Date Fri, 29 Jul 2005 03:55:00 GMT
On Thu, 28 Jul 2005, Joshua Slive wrote:

Well, that's not quite true.

If you're talking about a *single* script (like a password change script 
or something)...

first, realize that there's a number of reasons doing auth against 
/etc/passwd is BAD.

http://httpd.apache.org/docs/1.3/misc/FAQ.html#passwdauth

That said, you could do it without needing to give apache root, by using 
mod_auth_radius or something like that.

Following that, if you have a SetUID root cgi script that you have run as 
root, and then drop its privileges accordingly,

For example, this is how usermin can be run under apache

http://webmin.com/uapache.html

WARNING: Unless you REALLY know what you are doing, and by this I mean 
your script should be running most of the same checks suexec itself 
runs...and then some...I don't advise this.

But it *is* an option.

If you're talking about ANY script on a system...uh, no.  Please don't go 
there.

-Dan


> On 7/27/05, Atte Peltomaki <atte.peltomaki@f-secure.com> wrote:
>>>> I'm trying to implement such scenario where a cgi script would be run as
>>>> the user that just authed against the local passwd. This way the cgi
>>>> script would have the same rights as the local user does.
>>>>
>>>> Anyone have any ideas how to pass the login information to suexec?
>>>
>>> If you mean HTTP authentication login, then it can't be done.  This
>>> would violate suexec's security model.  It only runs scripts based on
>>> their owner.
>>>
>>> You can look at cgiwrap, which is a little more flexible.  But I doubt
>>> it will do this either.
>>
>> It didn't seem like cgiwrap would be able either. Any other ideas,
>> anyone? Last resort is to sourcedive for the http auth login bit, and
>> hook it to a homebrewn cgiwrapper, or a modified version of
>> suexec/cgiwrap. But this is a lot of work, perhaps too much for what it
>> would achieve.
>
> look into sudo.
>
> (The reason there is no easy way to do this is because it can easily
> create a massive security hole if it is not done extremely carefully.)
>
> Joshua.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

--

"Be happy.  Try not to hurt each other.  Hope you fall in love."

--Mallory, Family Ties Finale (on the meaning of life)

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message