Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

Question about suexec

  

 
Apache users RSS feed   Index | Next | Previous | View Threaded


yves at zioup

Sep 14, 2006, 12:49 PM

Post #1 of 6 (571 views)
Permalink
Question about suexec
Anybody has any idea if it's possible to do something like:

SuexecUserGroup $REMOTE_USER agroup

What I'm trying to do, is have the CGIs executed with the uid of the
authenticating user, but everybody will be using the same script, and the
same URL.

I've googled for it, and there are hints that people are doing this out
there, but no example of configuration (the one above is of course
completely invalid). On one page one guy's saying that he re-wrote su-exec
to be able to do all sort of things... but I really want to stay as close to
vanilla as possible.

All suggestions welcome.


Thanks.


Yves.
----
Yves Dorfsman yves [at] zioup
http://www.SollerS.ca



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


joshua at slive

Sep 15, 2006, 11:31 AM

Post #2 of 6 (552 views)
Permalink
Re: Question about suexec [In reply to]
On 9/14/06, Yves Dorfsman <yves [at] zioup> wrote:
>
>
> Anybody has any idea if it's possible to do something like:
>
> SuexecUserGroup $REMOTE_USER agroup
>
> What I'm trying to do, is have the CGIs executed with the uid of the
> authenticating user, but everybody will be using the same script, and the
> same URL.
>
> I've googled for it, and there are hints that people are doing this out
> there, but no example of configuration (the one above is of course
> completely invalid). On one page one guy's saying that he re-wrote su-exec
> to be able to do all sort of things... but I really want to stay as close to
> vanilla as possible.

No, this is not possible and not wise. You would need to strip away
the most important security protections of suexec to do this.

If you really need this, look into sudo, which could be used in
conjunction with suexec or in an ordinary cgi script. But watch out.
You could easily create massive security wholes if you don't know what
you are doing.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


yves at zioup

Sep 18, 2006, 6:46 AM

Post #3 of 6 (536 views)
Permalink
Question about suexec [In reply to]
I've posted that question last week and got zero feedback, sorry to
resubmit, I'm just afraid it got drowned among all the posts. Thanks in
advance for any help on this.



Anybody has any idea if it's possible to do something like:

SuexecUserGroup $REMOTE_USER agroup

What I'm trying to do, is have the CGIs executed with the uid of the
authenticating user, but everybody will be using the same script, and the
same URL.

I've googled for it, and there are hints that people are doing this out
there, but no example of configuration (the one above is of course
completely invalid). On one page one guy's saying that he re-wrote su-exec
to be able to do all sort of things... but I really want to stay as close to
vanilla as possible.

All suggestions welcome.


Thanks.


Yves.
----
Yves Dorfsman yves [at] zioup
http://www.SollerS.ca

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


joshua at slive

Sep 18, 2006, 7:09 AM

Post #4 of 6 (538 views)
Permalink
Re: Question about suexec [In reply to]
On 9/18/06, Yves Dorfsman <yves [at] zioup> wrote:
>
> I've posted that question last week and got zero feedback, sorry to
> resubmit, I'm just afraid it got drowned among all the posts. Thanks in
> advance for any help on this.

In fact, you did receive a response:
http://mail-archives.apache.org/mod_mbox/httpd-users/200609.mbox/%3ce498c1660609151131y66923ea9o2d7f3a766d42cc23 [at] mail%3e

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


yves at zioup

Sep 18, 2006, 8:04 AM

Post #5 of 6 (538 views)
Permalink
Re: Question about suexec [In reply to]
>
> In fact, you did receive a response:
>

http://mail-archives.apache.org/mod_mbox/httpd-users/200609.mbox/%3ce498c1660609151131y66923ea9o2d7f3a766d42cc23 [at] mail%3e

Oops missed it - sorry, and thanks for pointing to this. Darn, this means
I've
got to re-compile with BIG_SECURITY_HOLE...

Thanks.

Yves.
----
Yves Dorfsman yves [at] zioup
http://www.SollerS.ca



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


joshua at slive

Sep 18, 2006, 8:47 AM

Post #6 of 6 (537 views)
Permalink
Re: Question about suexec [In reply to]
On 9/18/06, Yves Dorfsman <yves [at] zioup> wrote:
>
> >
> > In fact, you did receive a response:
> >
>
> http://mail-archives.apache.org/mod_mbox/httpd-users/200609.mbox/%3ce498c1660609151131y66923ea9o2d7f3a766d42cc23 [at] mail%3e
>
> Oops missed it - sorry, and thanks for pointing to this. Darn, this means
> I've
> got to re-compile with BIG_SECURITY_HOLE...

Ugh, no. As I said, it means you need to learn how to use sudo. This
is, in itself, a dangerous thing to expose to the web. But the danger
pales in comparison to what you can get into by running apache as
root.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.