[sf-perl] How to get cgi program to invoke another program as a specific non-privileged user
Quinn Weaver
quinn at fairpath.com
Sat May 19 14:59:34 PDT 2007
On Sat, May 19, 2007 at 11:04:13AM -0700, David Alban wrote:
> On 5/19/07, David Fetter <david at fetter.org> wrote:
> > I think you might want to look into the fine-grained control that sudo
> > provides. You can, for example, allow the "nobody" user to execute
> > exactly one command without password authentication as the "build"
> > user.
>
> Oh yeah, I forgot to say that sudo is the *first* thing I tried. :-)
>
> I added a line in /etc/sudoers that allowed apache (who owns our
> httpd processes) to run the build too. Didn't work. I figured there
> was a problem when from root I tried to su to apache to run the sudo
> manually and su said something like user apache (who owns our httpd
> processes) was unavailable. Probably doesn't have a shell. I didn't
> look.
>
> Or perhaps my lack of apache knowledge is at work here. Even though
> user apache shows up in the process table as owning the httpd
> processes, should I still try sudo for user 'nobody'? I can try that
> on Monday.
I wouldn't allow sudo for user 'nobody'. If you do that, you're
defeating the intended security for the whole box. nobody is supposed
be a user with no privileges; apache and some other packages rely on
that.
If I were you, I would make the CGI script setuid to the build user.
Then you have just one place where you're granting extra privs,
rather than altering the expected behavior of nobody system-wide,
or altering the behavior of all code running under apache with
suexec.
Of course, that solution works for CGI only, not for mod_perl. For
mod_perl, the solution I've seen is to run a whole separate Apache
instance under a different UID. It's a bit of a pain to set up, but
there's no good way around it... suexec, as you pointed out, affects
all apache children, no matter what URL they're serving/code they're
running.
--
Quinn Weaver, independent contractor | President, San Francisco Perl Mongers
http://fairpath.com/quinn/resume/ | http://sf.pm.org/
More information about the SanFrancisco-pm
mailing list