no setuid for CGI scripts?

Robin Becker robin at jessikat.fsnet.co.uk
Mon Nov 5 07:04:27 EST 2001


In article <4b4c5d99.0111050348.6d7c9406 at posting.google.com>, pawn
<NOSpawnPAM at lightspawn.org> writes
>I'm trying to convert a few simple CGI scripts from Perl to Python,
>and was shocked to learn that the Python interpreter silently ignores
>the setuid bit.
>
>I really don't know how to get around this. Since the server is hosted
>remotely I can't recompile python to allow setuid, and I can't make my
>files world read/writable - I need my python CGIs to run with MY uid.
>
>I read somewhere about using a wrapper C program but it seems really
>convoluted, as well as requiring a different wrapper for each CGI.
>
>Is there any solution, or should I stick to / am I stuck with Perl?
If you can get a wrapper program onto your machine it's as easy as this
(at least for freeBSD)

#!/usr/home/myhome/bin/wrapper /usr/local/bin/python

here wrapper is a program that you create to be setuid in your
name/group.

my code for the wrapper looks like below. I only allow it to work for
the owner and the nobody user. 


#include <stdio.h>
#include <stdlib.h>
#define SRCUID 1234 /*our UID so we can do things ourselves*/
#define NOBID  65535 /*another possible ID (nobody*)/
#define TGTUID 1234 /*the desired run UID*/
#define TGTGID 7890 /*the desired run group*/
#define TGTUSER "myusername"
#define TGTHOME "/usr/home/" TGTUSER
int main(int argc, char**argv)
{
        size_t  i, n=0;
        char *buf;
        n = getuid();
        if(n!=NOBID && n!=SRCUID) exit(-1);
        for(i=1;i<argc;i++) n += strlen(argv[i]);
        if(!n) exit(0);
        buf = malloc(n+argc+1);
        *buf = 0;
        for(i=1;i<argc;i++){
                if(i>1) strcat(buf," ");
                strcat(buf,argv[i]);
                }
        setuid(TGTUID);
        setgid(TGTGID); /*users*/
        setenv("USER",TGTUSER,1);
        setenv("HOME",TGTHOME,1);
        system(buf);
}

-- 
Robin Becker



More information about the Python-list mailing list