[sf-perl] How to get cgi program to invoke another program as a specific non-privileged user

David Alban extasia at extasia.org
Sat May 19 20:38:26 PDT 2007


I'll try making the cgi program setuid and owned by build:build.  Thanks.

FYI, the sudo entry would only have allowed 'nobody' specifically to
run the build tool as user 'build'.  No other commands would have been
allowed.  No other privilege would have been granted.  (It's an
internal network, and anyone is allowed to kick off a build...)

On 5/19/07, Quinn Weaver <quinn at fairpath.com> wrote:
> I wouldn't allow sudo for user 'nobody'.  If you do that, you're
> defeating the intended security for the whole box.  nobody is supposed
> be a user with no privileges; apache and some other packages rely on
> that.
>
> If I were you, I would make the CGI script setuid to the build user.
> Then you have just one place where you're granting extra privs,
> rather than altering the expected behavior of nobody system-wide,
> or altering the behavior of all code running under apache with
> suexec.
>
> Of course, that solution works for CGI only, not for mod_perl.  For
> mod_perl, the solution I've seen is to run a whole separate Apache
> instance under a different UID.  It's a bit of a pain to set up, but
> there's no good way around it... suexec, as you pointed out, affects
> all apache children, no matter what URL they're serving/code they're
> running.

-- 
Live in a world of your own, but always welcome visitors.


More information about the SanFrancisco-pm mailing list