John Summerfield wrote:
I take it the script begins
#!/usr/bin/sperl
Change it to
#!/usr/bin/perl
and see what you see.
No, it begins #!/usr/bin/perl
but it needs to run suid to access the backups.
[~] 11) l -lZ /var/www/cgi-bin/BackupPC/
-rwsr-x--- backuppc apache system_u:object_r:httpd_sys_script_exec_t:s0
BackupPC_Admin*
I think your phrase "fix properly" meas you need to learn how to write a
local policy to allow it.
This same script worked in FC6.
There's been some tension (to my mind at least) between Linux[1] (setuid
is ignored with scripts)
It is ignored in shell scripts because Linux does not provide the
capability of running them securely (i.e. noticing the setuid status is
not atomic with the file open so you have a race condition where you can
replace the file).
and perl (stuff Linux, we're going to do setuid
scripts).
Perl provides its own mechanism for executing setuid perl scripts, but
it is packaged separately in fedora. You have to install the
perl-suidperl package if you want the feature.
[1] I don't think Linux is alone here.
What I have done, in Debian and without selinux, where I want CGI to do
root stuff is to authorise it without passwords via sudo,
Is there some reason to think this is better than the methods provided
by apache or perl?
--
Les Mikesell
lesmikesell@xxxxxxxxx
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list