Re: Http server with authenticated user suexec cgi's

To: debian-isp@lists.debian.org, iforbes@zsd.co.za
Subject: Re: Http server with authenticated user suexec cgi's
From: Evan Webb <evanw@cortland.com>
Date: Thu, 03 Apr 2003 01:27:11 -0800
Message-id: <[🔎] 949313562.1049333231@maxwell.fallingsnow.net>
In-reply-to: <[🔎] 3E8C12FA.8442.5602CE@localhost>
References: <[🔎] 3E8AFA46.14385.B75C205@localhost> <[🔎] 3E8C12FA.8442.5602CE@localhost>

It's risky, but you could run apache as root (or suexec the cgi to root)and then within the script itself do a setuid and seteuid. Since apache isforking and execing the cgi itself, you should be able to use setuid (thesame way login and ssh does when a user logs into the system). Within perlyou just change the $< var iirc. I'd open up the login source and see howit uses setuid to change uids when the user logs in, and maybe implement aC wrapper that is exec'd as the cgi that setuid's and in turn execs theactual script. In summary, sure, it's possible.


Evan Webb

--On Thursday, April 03, 2003 10:54 AM +0200 "I. Forbes"<iforbes@zsd.co.za> wrote:

Hello Dustin

On 2 Apr 2003 at 8:07, Dustin Douglas wrote:

I don't know of anything that does everything that you want, but a
good starting point might be the apache suexec docs. For apache 1.3.x
they can be found at http://httpd.apache.org/docs/suexec.html

Implementing the desired functionality is left as an exercise to the
reader.


Apache suexec will not do this. This runs the cgi scripts with the
uid of the "owner" of the website, where there are many websites with
many "owners" on the same server.

I am looking for a system to run the cgi scripts with the uid of the
authenticated user. Ie, one server, one web site, many system users
each running the cgi's with their own uid.

This is the same security situation as a user logging in via a telnet
prompt and running system utilities like "ls" or "vi". Except I want
the user to login via a web page and run cgi's to make things more
user friendly.


Regards

Ian

---------------------------------------------------------------------
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 21 683-1388  Fax: +27 21 674-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
---------------------------------------------------------------------



--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org




Evan Webb // evanw@cortland.com

Reply to:

References:
- Http server with authenticated user suexec cgi's
  - From: "I. Forbes" <iforbes@zsd.co.za>
- Re: Http server with authenticated user suexec cgi's
  - From: "I. Forbes" <iforbes@zsd.co.za>

Prev by Date: Re: Partitioning a Web Server
Next by Date: Re: Language support for Webalizer Debian package
Previous by thread: Re: Http server with authenticated user suexec cgi's
Next by thread: Language support for Webalizer Debian package
Index(es):
- Date
- Thread