Running CGIs under my uid - going slowly insane.

Jonathan Hogg jonathan at onegoodidea.com
Sat Feb 2 10:38:53 CET 2002


On 2/2/2002 2:28, in article a3fisr$9j6$0 at 216.39.172.122, "Bengt Richter"
<bokr at oz.net> wrote:

> Rule 17 says maybe the above would work if you *don't* setuid it, but I don't
> think
> you need it, unless maybe mod Python could otherwise get inbetween? I haven't
> set that
> up myself.

Yes, perhaps I should have made that more clear. I meant using 'suexec'
*instead* of randomly setuiding executables. With mod_python it's even
harder as the Apache process itself needs to be running as the user
(requires the new 2.0 per-user pooling magic), but I don't think that's the
problem.

'suexec' is a much more secure mechanism for running cgis as a particular
user. The user is set in the config file (per virtual host) and suexec has a
number of rules that it checks before it will run the script as that user
(as Bengt refers to) - such as that it is owned by the user, isn't writeable
by anyone else, is within a particular cgi directory (this is the main
problem with suexec as it is only one path per installation, so I've had to
set it to something useless like '/' in the past to make it work with
disparate cgi directories).

It would be much better all round if you can get the hosters to use this
rather than setuiding your own scripts.

Jonathan




More information about the Python-list mailing list