running a cgi script as root

[Brian Gibson <bg...@wheatonma.edu>]

I am developing a web page that lets the end users at our school change
their Linux passwords.

I need the perl cgi that gets called to be run as the root user and
Apache is not letting me.
When I take in the user's name, old password, new password + a
confirmation of the new password
I run these strings through a series of tests to make sure everything
looks OK.  I then need
the perl script ( "password.pl" which is owned by root ) to run the
command

$result_of_password_change = `/bin/echo $newpassword | /usr/bin/passwd
--stdin $name`;

What this line does is it changes the password of the user (in $name
variable ) to the new
password stored in the $newpassword variable.  The --stsin option makes
the command run in
non-interactive mode.    This works fine if I run the command
outside of Apache but when I try and run it within the CGI environment I
receive this line
in the Apache error_log

Only root can do that

Apache is running as the User "apache" and the Group "apache" which is
standard for the RedHat 7.1 
install.  I ran "chmod u+s password.pl"
to have the setuid bit set for the owner of the perl script who is the
user "root".  I did some reading on
the suEXEC command at

http://httpd.apache.org/docs-2.0/suexec.html

and read the following "Presently, suEXEC does not allow 'root' to
execute CGI/SSI programs."

Is there any way I can get this script to run as the user root?  

Any suggestions you can offer would be appreciated.  I have included the
server version info from the
"server-status" page below

Server Version: Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5
OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01


Any help you can offer would be greatly appreciated!

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: running a cgi script as root

[Brian Gibson <bg...@wheatonma.edu>]

Thank you very much for the suggestion!




jon schatz wrote:
> 
> On Thu, 2002-01-31 at 15:12, Brian Gibson wrote:
> > Is there any way I can get this script to run as the user root?
> 
> write a setuid wrapper in c. i believe there's an example of this in the
> perl cookbook. languages with a #! line can't be run setuid in many
> unixes. there's a detailed explanation of why this is in the camel book
> somewhere (has to do with the interpreter changing in between the time
> the script is called and the interpreter is executed iirc).
> 
> -jon
> 
> --
> jon@divisionbyzero.com || www.divisionbyzero.com
> gpg key: www.divisionbyzero.com/pubkey.asc
> think i have a virus?: www.divisionbyzero.com/pgp.html
> "You are in a twisty little maze of Sendmail rules, all confusing."
> 
>   ------------------------------------------------------------------------
>                        Name: signature.asc
>    signature.asc       Type: PGP Armored File (application/x-unknown-content-type-PGP Armored File)
>                 Description: This is a digitally signed message part

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: running a cgi script as root

[jon schatz <jo...@divisionbyzero.com>]

On Thu, 2002-01-31 at 15:12, Brian Gibson wrote:
> Is there any way I can get this script to run as the user root?  

write a setuid wrapper in c. i believe there's an example of this in the
perl cookbook. languages with a #! line can't be run setuid in many
unixes. there's a detailed explanation of why this is in the camel book
somewhere (has to do with the interpreter changing in between the time
the script is called and the interpreter is executed iirc).

-jon

-- 
jon@divisionbyzero.com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus?: www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."