suEXEC

Miner, Jonathan W (US SSA) jonathan.w.miner at baesystems.com
Tue Aug 12 14:11:11 UTC 2008 

Here is a more detailed rehash of my previous message...

1) Change your web scripts to create a file of usernames to create, for example, /var/tmp/users.  The file should be owned by root, group apache, with permissions 660.  Your script should append names to the file

2) Create a cron job, which runs as root, which does the following:

if [ ! -f /var/tmp/users.save ]; then
  if [ -s /var/tmp/users ]; then
    mv /var/tmp/users /var/tmp/users.save
    install --owner=root --group=apache --mode=660 /dev/null /var/tmp/users
  fi

  if [ -f /var/tmp/users.save ]; then
    for user in `cat /var/tmp/users.save`; do
      #
      # do whatever you need to do to create the user accounts
      #
    done
    rm /var/tmp/users.save
  fi
fi

Disclaimer:  There may be race conditions where this doesn't work, especially if the cron job runs too frequently.



-----Original Message-----
From:	redhat-list-bounces at redhat.com on behalf of Joy Methew
Sent:	Tue 8/12/2008 9:46 AM
To:	General Red Hat Linux discussion list
Cc:	
Subject:	Re: suEXEC

Miner
can you tell me how i can do this with root user power??

2008/8/12 Miner, Jonathan W (US SSA) <jonathan.w.miner at baesystems.com>

> Joy -
>
> I understand what you're trying to do.  I was just proposing a slightly
> different security architecture. Just another way to look at the problem...
> Running processes as "root" should be a last resort, if there is no other
> way to perform the task.
>
> - Jon
>
>
> -----Original Message-----
> From:   redhat-list-bounces at redhat.com on behalf of Joy Methew
> Sent:   Tue 8/12/2008 9:28 AM
> To:     General Red Hat Linux discussion list
> Cc:
> Subject:        Re: suEXEC
>
> Apache default to running as the user apache.
> This is safe and effective strategy for mostly static website,but many
> dynamic website have CGI scripts that need more privileges.For example,a
> script may need to write to a file,or access a database as a user other
> than
> apache.
> so here i want to use root user.
>
> 2008/8/12 Miner, Jonathan W (US SSA) <jonathan.w.miner at baesystems.com>
>
> >
> > The way I have always accomplished this is by splitting the task into two
> > parts.  First, use the web interface to create a simple text file (or
> > database) of work to be done.  Second, use a cron job, running with
> > appropriate permissions, to read the text file, (or database) and perform
> > the work, and notify the original requester.
> >
> > The downside is that the work is done asynchronously.
> >
> > On the plus side, you don't need to run the webserver with elevated
> > permissions.
> >
> > -----Original Message-----
> > From:   redhat-list-bounces at redhat.com on behalf of Joy Methew
> > Sent:   Tue 8/12/2008 8:59 AM
> > To:     General Red Hat Linux discussion list
> > Cc:
> > Subject:        Re: suEXEC
> >
> > i have told already i am not using both together.
> >
> > On Tue, Aug 12, 2008 at 5:41 PM, Broekman, Maarten <
> > Maarten.Broekman at fmr.com
> > > wrote:
> >
> > > By having the two virtual hosts, Apache will use the first matching
> > > entry.  This means that it will never use the second virtual host
> entry.
> > > You either need to comment out the first entry or change it.
> > >
> > > Also, check the Apache documentation (http://httpd.apache.org/docs/).
> > >
> > > Maarten
> > >
> > >
> > > -----Original Message-----
> > > From: redhat-list-bounces at redhat.com
> > > [mailto:redhat-list-bounces at redhat.com] On Behalf Of Joy Methew
> > > Sent: Tuesday, August 12, 2008 8:08 AM
> > > To: General Red Hat Linux discussion list
> > > Subject: suEXEC
> > >
> > > scrpit.sh.....
> > >
> > > #!/bin/bash
> > > echo Content-type: text/html
> > > echo
> > > whoami
> > > echo '<br><br>'
> > > id || echo "Will not work with SELinux."
> > > echo '<br>'
> > >
> > > first virtual hosting is showing username cgiuser but second virtual
> > > hostinf
> > > is blank answer.
> > > i waan it show username root.
> > > i m not doing this virtual hosting together.
> > > this virtual hosting only for testing purpose.
> > > chown cgiuser.cgiuser /var/www/virtual/cgi-bin/
> > > chmod 755 /var/www/virtual/cgi-bin/
> > > chmod 755 /var/www/virtual/cgi-bin/script.sh
> > >
> > > <VirtualHost 192.168.1.4:80>
> > >     DocumentRoot /var/www/html
> > >     ServerName 192.168.1.4
> > >     ScriptAlias /cgi-bin/ /var/www/virtual/cgi-bin/
> > >     SuexecUserGroup cgiuser cgiuser
> > > </VirtualHost>
> > >
> > > <VirtualHost 192.168.1.4:80>
> > >     DocumentRoot /var/www/html
> > >     ServerName 192.168.1.4
> > >     ScriptAlias /root-cgi-bin/ /var/www/virtual/root-cgi-bin/
> > >     SuexecUserGroup root root
> > > </VirtualHost>
> > > --
> > > redhat-list mailing list
> > > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> > >
> > > --
> > > redhat-list mailing list
> > > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > > https://www.redhat.com/mailman/listinfo/redhat-list
> > >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> >
> >
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list