Here is a more detailed rehash of my previous message...
1) Change your web scripts to create a file of usernames to create, for example, /var/tmp/users. The file should be owned by root, group apache, with permissions 660. Your script should append names to the file
2) Create a cron job, which runs as root, which does the following:
if [ ! -f /var/tmp/users.save ]; then
if [ -s /var/tmp/users ]; then
mv /var/tmp/users /var/tmp/users.save
install --owner=root --group=apache --mode=660 /dev/null /var/tmp/users
fi
if [ -f /var/tmp/users.save ]; then
for user in `cat /var/tmp/users.save`; do
#
# do whatever you need to do to create the user accounts
#
done
rm /var/tmp/users.save
fi
fi
Disclaimer: There may be race conditions where this doesn't work, especially if the cron job runs too frequently.
-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx on behalf of Joy Methew
Sent: Tue 8/12/2008 9:46 AM
To: General Red Hat Linux discussion list
Cc:
Subject: Re: suEXEC
Miner
can you tell me how i can do this with root user power??
2008/8/12 Miner, Jonathan W (US SSA) <jonathan.w.miner@xxxxxxxxxxxxxx>
> Joy -
>
> I understand what you're trying to do. I was just proposing a slightly
> different security architecture. Just another way to look at the problem...
> Running processes as "root" should be a last resort, if there is no other
> way to perform the task.
>
> - Jon
>
>
> -----Original Message-----
> From: redhat-list-bounces@xxxxxxxxxx on behalf of Joy Methew
> Sent: Tue 8/12/2008 9:28 AM
> To: General Red Hat Linux discussion list
> Cc:
> Subject: Re: suEXEC
>
> Apache default to running as the user apache.
> This is safe and effective strategy for mostly static website,but many
> dynamic website have CGI scripts that need more privileges.For example,a
> script may need to write to a file,or access a database as a user other
> than
> apache.
> so here i want to use root user.
>
> 2008/8/12 Miner, Jonathan W (US SSA) <jonathan.w.miner@xxxxxxxxxxxxxx>
>
> >
> > The way I have always accomplished this is by splitting the task into two
> > parts. First, use the web interface to create a simple text file (or
> > database) of work to be done. Second, use a cron job, running with
> > appropriate permissions, to read the text file, (or database) and perform
> > the work, and notify the original requester.
> >
> > The downside is that the work is done asynchronously.
> >
> > On the plus side, you don't need to run the webserver with elevated
> > permissions.
> >
> > -----Original Message-----
> > From: redhat-list-bounces@xxxxxxxxxx on behalf of Joy Methew
> > Sent: Tue 8/12/2008 8:59 AM
> > To: General Red Hat Linux discussion list
> > Cc:
> > Subject: Re: suEXEC
> >
> > i have told already i am not using both together.
> >
> > On Tue, Aug 12, 2008 at 5:41 PM, Broekman, Maarten <
> > Maarten.Broekman@xxxxxxx
> > > wrote:
> >
> > > By having the two virtual hosts, Apache will use the first matching
> > > entry. This means that it will never use the second virtual host
> entry.
> > > You either need to comment out the first entry or change it.
> > >
> > > Also, check the Apache documentation (http://httpd.apache.org/docs/).
> > >
> > > Maarten
> > >
> > >
> > > -----Original Message-----
> > > From: redhat-list-bounces@xxxxxxxxxx
> > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Joy Methew
> > > Sent: Tuesday, August 12, 2008 8:08 AM
> > > To: General Red Hat Linux discussion list
> > > Subject: suEXEC
> > >
> > > scrpit.sh.....
> > >
> > > #!/bin/bash
> > > echo Content-type: text/html
> > > echo
> > > whoami
> > > echo '<br><br>'
> > > id || echo "Will not work with SELinux."
> > > echo '<br>'
> > >
> > > first virtual hosting is showing username cgiuser but second virtual
> > > hostinf
> > > is blank answer.
> > > i waan it show username root.
> > > i m not doing this virtual hosting together.
> > > this virtual hosting only for testing purpose.
> > > chown cgiuser.cgiuser /var/www/virtual/cgi-bin/
> > > chmod 755 /var/www/virtual/cgi-bin/
> > > chmod 755 /var/www/virtual/cgi-bin/script.sh
> > >
> > > <VirtualHost 192.168.1.4:80>
> > > DocumentRoot /var/www/html
> > > ServerName 192.168.1.4
> > > ScriptAlias /cgi-bin/ /var/www/virtual/cgi-bin/
> > > SuexecUserGroup cgiuser cgiuser
> > > </VirtualHost>
> > >
> > > <VirtualHost 192.168.1.4:80>
> > > DocumentRoot /var/www/html
> > > ServerName 192.168.1.4
> > > ScriptAlias /root-cgi-bin/ /var/www/virtual/root-cgi-bin/
> > > SuexecUserGroup root root
> > > </VirtualHost>
> > > --
> > > redhat-list mailing list
> > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> > >
> > > --
> > > redhat-list mailing list
> > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> >
> >
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
