no setuid for CGI scripts?
Robin Becker
robin at jessikat.fsnet.co.uk
Mon Nov 5 07:04:27 EST 2001
In article <4b4c5d99.0111050348.6d7c9406 at posting.google.com>, pawn
<NOSpawnPAM at lightspawn.org> writes
>I'm trying to convert a few simple CGI scripts from Perl to Python,
>and was shocked to learn that the Python interpreter silently ignores
>the setuid bit.
>
>I really don't know how to get around this. Since the server is hosted
>remotely I can't recompile python to allow setuid, and I can't make my
>files world read/writable - I need my python CGIs to run with MY uid.
>
>I read somewhere about using a wrapper C program but it seems really
>convoluted, as well as requiring a different wrapper for each CGI.
>
>Is there any solution, or should I stick to / am I stuck with Perl?
If you can get a wrapper program onto your machine it's as easy as this
(at least for freeBSD)
#!/usr/home/myhome/bin/wrapper /usr/local/bin/python
here wrapper is a program that you create to be setuid in your
name/group.
my code for the wrapper looks like below. I only allow it to work for
the owner and the nobody user.
#include <stdio.h>
#include <stdlib.h>
#define SRCUID 1234 /*our UID so we can do things ourselves*/
#define NOBID 65535 /*another possible ID (nobody*)/
#define TGTUID 1234 /*the desired run UID*/
#define TGTGID 7890 /*the desired run group*/
#define TGTUSER "myusername"
#define TGTHOME "/usr/home/" TGTUSER
int main(int argc, char**argv)
{
size_t i, n=0;
char *buf;
n = getuid();
if(n!=NOBID && n!=SRCUID) exit(-1);
for(i=1;i<argc;i++) n += strlen(argv[i]);
if(!n) exit(0);
buf = malloc(n+argc+1);
*buf = 0;
for(i=1;i<argc;i++){
if(i>1) strcat(buf," ");
strcat(buf,argv[i]);
}
setuid(TGTUID);
setgid(TGTGID); /*users*/
setenv("USER",TGTUSER,1);
setenv("HOME",TGTHOME,1);
system(buf);
}
--
Robin Becker
More information about the Python-list
mailing list