• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 249
  • Last Modified:

How to run CGI script as a certain user without using Virtual Domain.

Hi experts.  I am a bit confused here.
Apache 1.3, Perl 5.6.1

I want to run Mailman(listserv) scripts from a perl cgi script.  The mailman scripts need to be run as either "root" or "list" to execute properly.

I got it to work when I setup the domain name to run as the user "list" in the apache virtual hosts setup.  But I would rather not do it this way since I may want to run something else as a different user down the road.

Is there a way to setup the web page to ask for a username on the page, that will run the script as that user? Or, can I just set the script somehow to run as a certain user?  Like sudo? I would like it to be automatic, but that might be a security problem, so if I had to login to the page that would be ok I guess.

So if I initate the cgi script from a HTML page, would this all work ok.  Is security a problem doing this?

Thanks Experts!


0
Airgazm
Asked:
Airgazm
1 Solution
 
zerofillCommented:
Here is the situation:
The Apache is running as a daemon with a privileges of a certain user, usualy "nobody". As a parent process it executes CGI scripts as a child processes which means CGIs are executed as the same user as Apache's one.
If you run Apache as root your scripts will be executed as root and they will work. BUT THIS IS VERY INSECURE and not a decision of the problem. Nobody do such a silly thing.
My suggestion is to continue running Apache as nobody or whatever your user is. Divide your cgi on two parts. One to be the cgi executed through http via the browser. The other part to be a perl (or other) script somewhere on server (recomended outside wwwroot for security reasons). When user executes the cgi, it (cgi) must execute the "script" (see below why is in quotes), which is set to run as a different user. You must be the user you want the script to be executed and then "chmod u+s file". I don't know how or is it possible to chmod u+s scriptfile but you can do such thing on alredy binary executable. So write it down in c/c++ or something else and compile it. Then chmod u+s and you are ready.
I am not sure how to chmod perl script but it may be possible. If you know how let me know.
Good luck
0
 
ahoffmannCommented:
you may chown and chmod as suggested by zerofill, butkeep in mind that apache needs to be configured to allow SUID scripts too.

Or you may call your script fromwithin aour existing perl cgi as follows:

  system("su","-","user","/path/to/script","arg-for-script");
0
 
AirgazmAuthor Commented:
Thanks for the Help!
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now