Question about c wrapper for a python cgi project.
Steve Holden
sholden at holdenweb.com
Tue Sep 18 08:58:39 EDT 2001
"Ignacio Vazquez-Abrams" <ignacio at openservices.net> wrote in message
news:mailman.999568444.32037.python-list at python.org...
> On Mon, 3 Sep 2001, Ignacio Vazquez-Abrams wrote:
>
> > On Mon, 3 Sep 2001, Wayne Ringling wrote:
> >
> > > I have been researching a way to somehow run a script in a c wrapper
as
> > > root. I have created a python script to alter the password and shadow
files
> > > to add,delete,change users for an online community project my group is
> > > working on. Can someone point me to a reference/how to about how I
can do
> > > this. I have created a session persistent cookie/database system to
monitor
> > > state between pages and login/logout. I just need a way to run the
script
> > > as root securely. Or is that just a pipedream? I would love to
entertain
> > > any other ideas on how I can do this.
> > >
> > > Wayne
> >
> > You said "run as root" and "securely" in the same sentence relating to
CGI.
> > You're funny!
> >
> > There is no way to make it entirely secure, but you can start by getting
the
> > script that changes the password OUT of any directory directly-accesible
by
> > the web server. Then make a script that verifies EVERYTHING about the
> > information (i.e., minimum uid, length of password, etc.) and then, and
_only_
> > then, should you call the other script (which has been made suid root,
and
> > possibly sgid root) to do the changes.
>
> My bad. Setting scripts suid/sgid doesn't matter because it only works on
> executables.
>
> Take a look at a little program called sudo which allows execution of any
> program as root.
>
Unfortunately the sudo client program required the user to authenticate
themselves periodically, so it would seem to be unsuitable for CGI use. It
*really* isn't a good idea to be using root-privileged scripts on a web
server, although the advice so far is good.
Is there a reason why the web system must use the same authentication base
as the operating system? If it's all web-based there is bo reason to use the
passowrd files to authenticate web users, and then you can move away from
root privileges and run your scripts as some user or group with access to
the authentication database.
regards
Steve
--
http://www.holdenweb.com/
More information about the Python-list
mailing list