httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bennett Haselton <benn...@peacefire.org>
Subject [users@httpd] how to enable CGI scripts to read /var/log/httpd/access_log ?
Date Mon, 11 Feb 2008 18:38:00 GMT
I am trying to run a CGI script that can open /var/log/httpd/access_log for 
reading and parse some data from it.  (This is on a dedicated machine.)

The file /var/log/httpd/access_log is owned by root, but that's not the 
problem.  I have other files owned by root that are in the /var/www/html 
directory and CGI scripts can read those with no problem (because they are 
world-*readable*, just like /var/log/httpd/access_log is).  The problem is 
that apparently CGI scripts cannot open any files for reading that are 
located outside of /var/www .  How can I change this setting so that the 
CGI scripts can also access files in /var/log/httpd ?

The other option would be to set the CGI script to run as setuid.  This is 
how I've gotten this to work on some other dedicated machines.  But on this 
machine, the setuid bit is not honored and setuid scripts still run as 
nobody.  If anybody can tell me how to change this setting so that the 
setuid bit is honored, that will work too.

(Every time I ask about that, a bunch of people tell me that "running 
setuid scripts is a security hole".  But nobody can ever say exactly why -- 
if a CGI script doesn't accept any input and only does what I've programmed 
it to do, then what difference does it make if a stranger invokes it as 
root?  It just does the same thing as when I run it as root.  So if you 
know how to change the system-wide setting to make setuid scripts run as 
root, that would be ideal.)

	-Bennett

bennett@peacefire.org     http://www.peacefire.org
(425) 497 9002


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message