|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Running Apache CGI scripts as root?
|
Ugh. Cgi scripts should never have to be run as root.
However, that doesn't really solve the current problem.
It's a HUGE security flaw, just as a forewarning, but have you considered making them SUID root? (Not sure if anyone suggested it yet)
(lack of GPG due to message sent via blackberry device)
-----Original Message-----
From: Randall A Sindlinger <rsindlin+plug@seas.upenn.edu>
Date: Wed, 13 Jan 2010 12:00:11
To: Philadelphia Linux User's Group Discussion List<plug@lists.phillylinux.org>
Subject: Re: [PLUG] Running Apache CGI scripts as root?
On Wed, Jan 13, 2010 at 11:10:18AM -0500, Mike Sheinberg wrote:
> So, I'm trying to solve an issue at my work where I need particular CGI
> scripts to have root access to a number of binaries. I have been messing
> with the sudoers file to try to grant this access to the particular binaries
> in question without requiring a password but since the 'apache' account has
> no shell (apache:x:48:48:Apache:/var/www:/sbin/nologin)
The apache account has gid 48. Is chgrp'ing the binaries to GID 48 w/mode
550 viable in your environment?
Or, if the binaries are already in a different group, can you add apache to
the group membership without introducing a security concern?
-Randall Sindlinger
Systems Programmer
CETS, School of Engineering and Applied Science
University of Pennsylvania
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|