[svlug] To suEXEC or not

Alvin Oga alvin at planet.fef.com
Tue Nov 10 02:45:56 PST 1998

Previous message: [svlug] It is all starting to make sense
Next message: [svlug] To suEXEC or not
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi ya cgi-folks...

am curious to get some feedback...
( am hesitant to use suEXEC )...

given: Webmaster.www is running the apache server..
	where www is the group...

given also that a set of users want to modify
and update the *.html and *.pl cgi scripts
lets say the UID.GID is HTMLEditors.www

Also, assume that the permission is always group
writable for files and directories...
	( was not previously which I claim is part
	( of the problem 

let's assuming umask 002 fixes the permissions
on the file and directories abc.pl creates when
running as WebMaster.www or HTMLEditors.www

Simple_abc.pl
	mkdir new_directory;
	touch new_diectory/foo.html;
	-- note what's missing here --
	-- missing chown/chmod --

   Problem:
   ---------
	when Simple_abc.pl is run by WebMaster.www
	it owns the files and dirs...

	when HTMLEditors runs the same Simple_ab.pl
	scripts, HTMLEditors owns the files
	that WebMaster.www SHOULD still be able to
	write...IF things are done right....

	if the umask is set to 002 or the Simple_abc.pl
	force the owner and permissions, there should NO
	issues in WebMaster.www updating/writing the files...

Proposed Solution_1:	Fixed_abc.pl ( my preferred solution )
	mkdir new_directory;
--->>	chown WebMaster.www new_directory
--->>	chmod 775 new_directory		( set umask instead )

	touch new_diectory/foo.html;
--->>	chown WebMaster.www new_directory/foo.html;
--->>	chmod 664 new_directory/foo.thml

	- using chown ensures the files is always
	- owned by Webmaster ( aka apache )....

Proposes Solution_2:  suEXEC
	Given the above, scenario, I believe, it is an overkill
	to invoke suEXEC from apache to run as HTMLEditors...
	which is also a login bash shell....for the real people
	editing the files and scripts...

Remember, all files and directories is group writable...

is there any reason to use suEXEC ??? ( aka setuid/setgid )
---------------------------------

just looking for some comments and if I "missed something"...
as I am very hesitant to use suEXEC...and never have used
it for solving group writable WebMaster.www files and directories...
	- assumes that the cgi scripts does do:
		chmod 775/664 		( or set umask in the script )
		chown Sombeody.Group * on files/dir it creats

many different answers...but....these two approaches is the *debate*

thank for your feedback...
alvin

--
echo "unsubscribe svlug" | mail majordomo at svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe

Previous message: [svlug] It is all starting to make sense
Next message: [svlug] To suEXEC or not
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list