httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wolfgang Laun <wolfgang.l...@gmail.com>
Subject Re: [users@httpd] changing owner:group of uploaded data
Date Mon, 05 Mar 2012 16:36:21 GMT
On 5 March 2012 08:06, Steve Swift <Swifty@swiftys.org.uk> wrote:

> This certainly sounds like a situation for SUEXEC.
>
> However, if you need the apache server to assign files to arbitrary
> user:group then there are two ways that I know of:
>
>    1. You could create a SUDO entry which allows apache to use the
>    chown/chgrp command AS root
>
> This did the trick



>
>    1. You could create a program to issue the chown/chgrp commands and
>    use the SETUID bit so that it executes as root.
>
> Somehow, this failed to work, no matter what I tried. Although the simple
shell script did work when invoked from the command line, it never worked
when invoked with (Perl) system( "/name/of/script $usr:$grp $path" )

Thank you!
Wolfgang

>
>
> In the first case, the SUDO entry should be restricted to your apache ID
> In the second case, the process is controlled by a program that you
> control, so you can add any security that you wish. I'd start by having the
> program verify that it is, indeed, running under the apache userid,
> whatever that is in your case.
>
> On 4 March 2012 21:57, Mark Montague <mark@catseye.org> wrote:
>
>> On March 4, 2012 12:33 , Wolfgang Laun <wolfgang.laun@gmail.com> wrote:
>>
>>> A CGI script creates a file; it should also change it's "natural" owner
>>> and group (daemon.daemon) to the one of the (authenticated) requesting
>>> user. Several users should be able to do that. Having read the Apache 2.4
>>> documentation on Suexec I have the impression that this isn't possible at
>>> all. Is this correct or did I miss something?
>>>
>>
>> Only root can change the owner of a file.  So if a CGI needs to change
>> the owner of a file that it creates, the CGI would have to be run as root
>> (very dangerous, do not do this) or it would have to use a set-uid helper
>> script to change the owner.  Suexec cannot change the owner of a file
>> created by a CGI, because it will not know what files the CGI creates.
>>
>> I think what you want is to run the CGI as the user who is authenticated.
>>  Then any files created by the CGI will be owned by the user who is
>> authenticated.  Does this sound right?
>>
>> For more information, see https://wiki.apache.org/httpd/**
>> PrivilegeSeparation <https://wiki.apache.org/httpd/PrivilegeSeparation>
>>
>> --
>>  Mark Montague
>>  mark@catseye.org
>>
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.org<users-unsubscribe@httpd.apache.org>
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> --
> Steve Swift
> http://www.swiftys.org.uk
>

Mime
View raw message