[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can't do setuid

>> Yes. Use "sudo" and actually *be* root when you run them.

> Yes, but therein lies my problem. I'm using Passwd::Linux in two cgi 
> scripts to allow intranet users to manage their passwords. Doesnt seem 
> like sudo is going to work for me in this occassion since the script will 
> be called via the webserver. 

Perl also has a special setuid ability. But you said you were using
regular shell scripts, not Perl. And you can compile Apache to honor
setuid (default is *not*), and you can allow mod_perl to honor them
as well for Perl "cgi"s (default is not, also).

> Any idea how to circumvent that type of situation?

See above. You could also allow the "nobody" or "webserver" user
(whomever the CGI runs as) to use sudo to run your changepwd
scripts. A better solution would be to have Apache run all
CGI's as the user that owns the "changepwd" CGI. Each user then
has their very own CGI, owned by them. Then, when they change
passwords, they can't inadvertently change someone else's password,
because their CGI can only run as *them*. And you can always change
your *own* password.

Then there is the harder method of writing a C program to wrap
your script, check parameters, lock it down, etc. Compile that,
make it setuid root and you're done. As I said, it's harder,
and very error-prone unless you know lots about CGI security and 
web-based application security in general.



To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.