Re: changing owner:group of uploaded data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5 March 2012 08:06, Steve Swift <Swifty@xxxxxxxxxxxxxx> wrote:
This certainly sounds like a situation for SUEXEC.

However, if you need the apache server to assign files to arbitrary user:group then there are two ways that I know of:
  1. You could create a SUDO entry which allows apache to use the chown/chgrp command AS root
This did the trick

 
  1. You could create a program to issue the chown/chgrp commands and use the SETUID bit so that it executes as root.
Somehow, this failed to work, no matter what I tried. Although the simple shell script did work when invoked from the command line, it never worked when invoked with (Perl) system( "/name/of/script $usr:$grp $path" )

Thank you!
Wolfgang 
In the first case, the SUDO entry should be restricted to your apache ID
In the second case, the process is controlled by a program that you control, so you can add any security that you wish. I'd start by having the program verify that it is, indeed, running under the apache userid, whatever that is in your case.

On 4 March 2012 21:57, Mark Montague <mark@xxxxxxxxxxx> wrote:
On March 4, 2012 12:33 , Wolfgang Laun <wolfgang.laun@xxxxxxxxx> wrote:
A CGI script creates a file; it should also change it's "natural" owner and group (daemon.daemon) to the one of the (authenticated) requesting user. Several users should be able to do that. Having read the Apache 2.4 documentation on Suexec I have the impression that this isn't possible at all. Is this correct or did I miss something?

Only root can change the owner of a file.  So if a CGI needs to change the owner of a file that it creates, the CGI would have to be run as root (very dangerous, do not do this) or it would have to use a set-uid helper script to change the owner.  Suexec cannot change the owner of a file created by a CGI, because it will not know what files the CGI creates.

I think what you want is to run the CGI as the user who is authenticated.  Then any files created by the CGI will be owned by the user who is authenticated.  Does this sound right?

For more information, see https://wiki.apache.org/httpd/PrivilegeSeparation

--
 Mark Montague
 mark@xxxxxxxxxxx


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




--
Steve Swift
http://www.swiftys.org.uk


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux