[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux vs BackupPC web interface



John Summerfield wrote:

I take it the script begins
   #!/usr/bin/sperl

Change it to
   #!/usr/bin/perl
and see what you see.


No, it begins   #!/usr/bin/perl
but it needs to run suid to access the backups. [~] 11) l -lZ /var/www/cgi-bin/BackupPC/
-rwsr-x---  backuppc apache system_u:object_r:httpd_sys_script_exec_t:s0
BackupPC_Admin*


I think your phrase "fix properly" meas you need to learn how to write a local policy to allow it.


This same script worked in FC6.

There's been some tension (to my mind at least) between Linux[1] (setuid is ignored with scripts)

It is ignored in shell scripts because Linux does not provide the capability of running them securely (i.e. noticing the setuid status is not atomic with the file open so you have a race condition where you can replace the file).

and perl (stuff Linux, we're going to do setuid scripts).

Perl provides its own mechanism for executing setuid perl scripts, but it is packaged separately in fedora. You have to install the perl-suidperl package if you want the feature.

[1] I don't think Linux is alone here.

What I have done, in Debian and without selinux, where I want CGI to do root stuff is to authorise it without passwords via sudo,

Is there some reason to think this is better than the methods provided by apache or perl?

--
  Les Mikesell
   lesmikesell gmail com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]