Webmin-alike cgi script and security
Denis S. Otkidach
ods at fep.ru
Mon Jul 22 10:08:26 EDT 2002
On Mon, 22 Jul 2002, Dave Swegen wrote:
DS> The scripts themselves are run as the default webserver
DS> user, and take
DS> care of stuff like authentication and basic sanity checking.
DS>
DS> If all input checks out an external script is called using
DS> sudo to gain
DS> root privs. Any data that should be provided is pickled and
Adding webserver default user to sudoers is a bad thing anyway.
It's better to use suexec with unique user, that will be used for
this script only.
DS> stored in a
DS> file with a unique name, which is then the only argument to
DS> the sudo'ed
DS> script. Depending on the return value any return data is
DS> picked up again
DS> by the cgi script from a pickled data structure with the
DS> same name.
--
Denis S. Otkidach
http://www.python.ru/ [ru]
http://diveinto.python.ru/ [ru]
More information about the Python-list
mailing list