Re: list scripts, permissions, and ownerships.

From: Kirk Bailey (idiot1@netzero.net)
Date: 11/14/02 

Date: Thu, 14 Nov 2002 01:07:34 -0500
From: Kirk Bailey <idiot1@netzero.net>
To: "security@FreeBSD.ORG" <security@FreeBSD.ORG>

oops. I quote:

   7.Is the target user NOT superuser?

       Presently, suEXEC does not allow 'root' to execute CGI/SSI
       programs.

Alas, the file appears to be owned by root. Now what?

Noah K Sematimba wrote:
>
> I think that perhaps you need to read about apache's suEXEC mechanism:
>
> http://httpd.apache.org/docs/suexec.html
>
> cheers,
>
> Sematimba Noah Kevin
> Systems Administrator
> Africa Online Uganda Limited
> Commercial Plaza Kampala Road
> e-mail: ksemat@africaonline.co.ug
> WEB: http://www.africaonline.co.ug
> TEL: +256(41)258143
> FAX: +256(41)258144
>
> On Wed, 13 Nov 2002, Kirk Bailey wrote:
>
> > I have a problem. I am writing a script to create lists, and another to destroy
> > them- that is, MAIL lists, such as mailman, majordomo, and mojomail and tinylist
> > all work with. (I write TinyList.)
> >
> > The aliases file must have certain permissions, and it appears to be 644 in my
> > freebsd box- hope that's correct, but it works fine. And the ownership is root,
> > and that works fine.
> >
> > well, apache in the box is nobody:wheel and runs scripts as such. I have the
> > scripts owned nobody:wheel also. They run, but it cannot access the aliases
> > file-permissions/ownerships. OK, changed the relevant scripts' ownerships to
> > root (gasp!) and tried to run things that way. still no luck. Scripts apparently
> > are running as nobody, even though owned by root.
> >
> > OK, a few questions.
> >
> > First, how to I get a script to discover what identity it is running as?
> >
> > Second, how can I insure it runs as a particular identity(so as to be compatable
> > with the email system), when run by the web server?
> >
> > third, what are the correct ownerships and permissions for /etc/mail and for
> > aliases? Just want to make sure I have things right.
> >
> >
> >
> >
> > --
> >
> > end
> >
> > Respectfully,
> > Kirk D Bailey
> >
> >
> > +---------------------"Thou Art Free." -Eris-----------------------+
> > | http://www.howlermonkey.net mailto:highprimate@howlermonkey.net |
> > | KILL spam dead! http://www.scambusters.org/stopspam/#Pledge |
> > | http://www.tinylist.org +--------+ mailto:grumpy@tinylist.org |
> > +------------------Thinking| NORMAL |Thinking----------------------+
> > +--------+
> > ---------------------------------------------
> > Introducing NetZero Long Distance
> > 1st month Free!
> > Sign up today at: www.netzerolongdistance.com
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> > 

-- 
end
Respectfully,
             Kirk D Bailey
+---------------------"Thou Art Free." -Eris-----------------------+
| http://www.howlermonkey.net  mailto:highprimate@howlermonkey.net |
| KILL spam dead!      http://www.scambusters.org/stopspam/#Pledge |
| http://www.tinylist.org  +--------+   mailto:grumpy@tinylist.org |
+------------------Thinking| NORMAL |Thinking----------------------+
                           +--------+
---------------------------------------------
Introducing NetZero Long Distance
1st month Free!
Sign up today at: www.netzerolongdistance.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • SUMMARY and apology Re: Some bash/tty questions
    ... Some people tend to create complex login scripts ... If you don't allow direct login to root, but rather su to root, then so ... Hi, not to bash down on bash, but perhaps you should try zsh, it has the shared history thing built in. ...
    (SunManagers)
  • RE: suEXEC
    ... Change your web scripts to create a file of usernames to create, for example, /var/tmp/users. ... The file should be owned by root, group apache, with permissions 660. ... first virtual hosting is showing username cgiuser but second virtual ...
    (RedHat)
  • Re: Run script as root from WebServer
    ... through a web interface. ... The problem is that some of these scripts deal with configuration files and ... some other tasks that require root privileges. ... This allows the www user to run the wireless connection setup/teardown ...
    (freebsd-questions)
  • Re: user permission problems
    ... Subject: user permission problems ... Note you should put any commands in a shell script so asroot can execute it with root perms, and you can add sanity tests to prevent things like ... add root and the special scripts like "kill_it' to the users that will use the scripts. ... I would assume the symlink is done from another restricted dir, such as a support dir owned by the support login, and only RW perms for the owner. ...
    (comp.unix.sco.misc)
  • Re: awstats munged httpd rights in SElinux, how to fix?
    ... terminal as root for configuration issues. ... your computer up to the world as a webserver. ... I don't have the scripts ... (i.e. encrypted access only). ...
    (Fedora)