On Thu, 28 Jul 2005, Joshua Slive wrote: Well, that's not quite true.If you're talking about a *single* script (like a password change script or something)...
first, realize that there's a number of reasons doing auth against /etc/passwd is BAD.
http://httpd.apache.org/docs/1.3/misc/FAQ.html#passwdauthThat said, you could do it without needing to give apache root, by using mod_auth_radius or something like that.
Following that, if you have a SetUID root cgi script that you have run as root, and then drop its privileges accordingly,
For example, this is how usermin can be run under apache http://webmin.com/uapache.htmlWARNING: Unless you REALLY know what you are doing, and by this I mean your script should be running most of the same checks suexec itself runs...and then some...I don't advise this.
But it *is* an option.If you're talking about ANY script on a system...uh, no. Please don't go there.
-Dan
On 7/27/05, Atte Peltomaki <atte.peltomaki@xxxxxxxxxxxx> wrote:I'm trying to implement such scenario where a cgi script would be run as the user that just authed against the local passwd. This way the cgi script would have the same rights as the local user does. Anyone have any ideas how to pass the login information to suexec?If you mean HTTP authentication login, then it can't be done. This would violate suexec's security model. It only runs scripts based on their owner. You can look at cgiwrap, which is a little more flexible. But I doubt it will do this either.It didn't seem like cgiwrap would be able either. Any other ideas, anyone? Last resort is to sourcedive for the http auth login bit, and hook it to a homebrewn cgiwrapper, or a modified version of suexec/cgiwrap. But this is a lot of work, perhaps too much for what it would achieve.look into sudo. (The reason there is no easy way to do this is because it can easily create a massive security hole if it is not done extremely carefully.) Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
-- "Be happy. Try not to hurt each other. Hope you fall in love." --Mallory, Family Ties Finale (on the meaning of life) --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org --------------------------- --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|