[svlug] To suEXEC or not

[Robert Hajime Lanning]

suEXEC was realy made for ISP's and the like.  Where you have normal users
creating CGI scripts.

Under normal conditions, if a user wants the CGI script to write to a file, the
file must be writable by the webserver's UID.  This then allows other peoples
CGI scripts to write to the file also.  The suEXEC fixes this by changing the
EUID of the process running the CGI script to the owner of the CGI script.  At
this point the writer of the CGI script only has access to his/her own files, 
because other people don't have to open their files for write access to the
webserver UID.

> 
> 
> hi ya cgi-folks...
> 
> am curious to get some feedback...
> ( am hesitant to use suEXEC )...
> 
> given: Webmaster.www is running the apache server..
> 	where www is the group...
> 
> given also that a set of users want to modify
> and update the *.html and *.pl cgi scripts
> lets say the UID.GID is HTMLEditors.www
> 
> Also, assume that the permission is always group
> writable for files and directories...
> 	( was not previously which I claim is part
> 	( of the problem 
> 
> let's assuming umask 002 fixes the permissions
> on the file and directories abc.pl creates when
> running as WebMaster.www or HTMLEditors.www
> 
> Simple_abc.pl
> 	mkdir new_directory;
> 	touch new_diectory/foo.html;
> 	-- note what's missing here --
> 	-- missing chown/chmod --
> 
>    Problem:
>    ---------
> 	when Simple_abc.pl is run by WebMaster.www
> 	it owns the files and dirs...
> 
> 	when HTMLEditors runs the same Simple_ab.pl
> 	scripts, HTMLEditors owns the files
> 	that WebMaster.www SHOULD still be able to
> 	write...IF things are done right....
> 
> 	if the umask is set to 002 or the Simple_abc.pl
> 	force the owner and permissions, there should NO
> 	issues in WebMaster.www updating/writing the files...
> 
> Proposed Solution_1:	Fixed_abc.pl ( my preferred solution )
> 	mkdir new_directory;
> --->>	chown WebMaster.www new_directory
> --->>	chmod 775 new_directory		( set umask instead )
> 
> 	touch new_diectory/foo.html;
> --->>	chown WebMaster.www new_directory/foo.html;
> --->>	chmod 664 new_directory/foo.thml
> 
> 	- using chown ensures the files is always
> 	- owned by Webmaster ( aka apache )....
> 
> Proposes Solution_2:  suEXEC
> 	Given the above, scenario, I believe, it is an overkill
> 	to invoke suEXEC from apache to run as HTMLEditors...
> 	which is also a login bash shell....for the real people
> 	editing the files and scripts...
> 
> Remember, all files and directories is group writable...
> 
> is there any reason to use suEXEC ??? ( aka setuid/setgid )
> ---------------------------------
> 
> just looking for some comments and if I "missed something"...
> as I am very hesitant to use suEXEC...and never have used
> it for solving group writable WebMaster.www files and directories...
> 	- assumes that the cgi scripts does do:
> 		chmod 775/664 		( or set umask in the script )
> 		chown Sombeody.Group * on files/dir it creats
> 
> many different answers...but....these two approaches is the *debate*
> 
> thank for your feedback...
> alvin
> 
> --
> echo "unsubscribe svlug" | mail majordomo at svlug.org
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe
> 


--
echo "unsubscribe svlug" | mail majordomo at svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe