[Tutor] CGI with python question
Pedro Diaz Jimenez
pdiaz88@terra.es
Thu, 1 Mar 2001 18:12:15 +0100
Hi folks,
I'm doing some CGI python scripts. One of them needs to access a MySQL
database on the localhost. i have experience dealing with MySQLdb so this
is not a problem. Actually the problem is that I need to fetch the
username-password-host-db tuple from a file in /etc. Of course, this
file must be root-only readable, so nobody except the root can read
this sensitive information. On the other hand, I don't want to have
cgi's in my system with root priviledges (I dont know if this is even posible
with apache).
Considering this, I planned my cgi to do the following:
- The script is initially suid root
- Once is called, reads the /etc files
- Inmediatly after this, changes is euid to Nobody via os.setuid
- Do the rest of the job, including interacting with the MySQL server
Does this schema looks ok in security terms?. If not, what other schema
should I follow?
I've also been playing with suid python scripts, but I wasn't able to make
the perform root privileged actions. Example:
test.py:
-------
#!/usr/bin/python
import os
print os.geteuid()
os.setuid(0)
print os.geteuid()
f = open("/etc/shadow" )
print "ALL OK"
--------
# chmod +x test.py
# ls -la test.py
-rwxr-xr-x 1 root root 120 Mar 1 18:07 test.py
# ./test.py
0
0
ALL OK
# chmod u+s test.py
# ls -la test.py
-rwsr-xr-x 1 root root 120 Mar 1 18:07 test.py
# su pdiaz
$ ./test.py
1000
Traceback (innermost last):
File "./test.py", line 5, in ?
os.setuid(0)
OSError: [Errno 1] Operation not permitted
$
What I'm doing wrong?
Thanks
Pedro