Running CGIs under my uid - going slowly insane.
Bengt Richter
bokr at oz.net
Sat Feb 2 18:36:17 EST 2002
On Sat, 02 Feb 2002 09:38:53 +0000, Jonathan Hogg <jonathan at onegoodidea.com> wrote:
>On 2/2/2002 2:28, in article a3fisr$9j6$0 at 216.39.172.122, "Bengt Richter"
><bokr at oz.net> wrote:
>
>> Rule 17 says maybe the above would work if you *don't* setuid it, but I don't
>> think
>> you need it, unless maybe mod Python could otherwise get inbetween? I haven't
>> set that
>> up myself.
>
>Yes, perhaps I should have made that more clear. I meant using 'suexec'
>*instead* of randomly setuiding executables. With mod_python it's even
>harder as the Apache process itself needs to be running as the user
>(requires the new 2.0 per-user pooling magic), but I don't think that's the
>problem.
>
>'suexec' is a much more secure mechanism for running cgis as a particular
>user. The user is set in the config file (per virtual host) and suexec has a
>number of rules that it checks before it will run the script as that user
>(as Bengt refers to) - such as that it is owned by the user, isn't writeable
>by anyone else, is within a particular cgi directory (this is the main
>problem with suexec as it is only one path per installation, so I've had to
>set it to something useless like '/' in the past to make it work with
>disparate cgi directories).
IME, you can use ScriptAlias to set suexec cgi directories on a per-virtual
host basis. I have one test VH running cgi out of '/', another with cgi
directory named other than 'cgi-bin', and others from the usual '/cgi-bin',
all running as account owner. See
http://httpd.apache.org/docs/mod/mod_alias.html#scriptalias
Perhaps one path per installation applies to another version or mode of use?
Regards,
Bengt Richter
More information about the Python-list
mailing list