You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Wolfgang Laun <wo...@gmail.com> on 2012/03/04 18:33:38 UTC
[users@httpd] changing owner:group of uploaded data
A CGI script creates a file; it should also change it's "natural" owner and
group (daemon.daemon) to the one of the (authenticated) requesting user.
Several users should be able to do that. Having read the Apache 2.4
documentation on Suexec I have the impression that this isn't possible at
all. Is this correct or did I miss something?
Thanks
-W
Re: [users@httpd] changing owner:group of uploaded data
Posted by Wolfgang Laun <wo...@gmail.com>.
On 5 March 2012 08:06, Steve Swift <Sw...@swiftys.org.uk> wrote:
> This certainly sounds like a situation for SUEXEC.
>
> However, if you need the apache server to assign files to arbitrary
> user:group then there are two ways that I know of:
>
> 1. You could create a SUDO entry which allows apache to use the
> chown/chgrp command AS root
>
> This did the trick
>
> 1. You could create a program to issue the chown/chgrp commands and
> use the SETUID bit so that it executes as root.
>
> Somehow, this failed to work, no matter what I tried. Although the simple
shell script did work when invoked from the command line, it never worked
when invoked with (Perl) system( "/name/of/script $usr:$grp $path" )
Thank you!
Wolfgang
>
>
> In the first case, the SUDO entry should be restricted to your apache ID
> In the second case, the process is controlled by a program that you
> control, so you can add any security that you wish. I'd start by having the
> program verify that it is, indeed, running under the apache userid,
> whatever that is in your case.
>
> On 4 March 2012 21:57, Mark Montague <ma...@catseye.org> wrote:
>
>> On March 4, 2012 12:33 , Wolfgang Laun <wo...@gmail.com> wrote:
>>
>>> A CGI script creates a file; it should also change it's "natural" owner
>>> and group (daemon.daemon) to the one of the (authenticated) requesting
>>> user. Several users should be able to do that. Having read the Apache 2.4
>>> documentation on Suexec I have the impression that this isn't possible at
>>> all. Is this correct or did I miss something?
>>>
>>
>> Only root can change the owner of a file. So if a CGI needs to change
>> the owner of a file that it creates, the CGI would have to be run as root
>> (very dangerous, do not do this) or it would have to use a set-uid helper
>> script to change the owner. Suexec cannot change the owner of a file
>> created by a CGI, because it will not know what files the CGI creates.
>>
>> I think what you want is to run the CGI as the user who is authenticated.
>> Then any files created by the CGI will be owned by the user who is
>> authenticated. Does this sound right?
>>
>> For more information, see https://wiki.apache.org/httpd/**
>> PrivilegeSeparation <https://wiki.apache.org/httpd/PrivilegeSeparation>
>>
>> --
>> Mark Montague
>> mark@catseye.org
>>
>>
>> ------------------------------**------------------------------**---------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.org<us...@httpd.apache.org>
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> --
> Steve Swift
> http://www.swiftys.org.uk
>
Re: [users@httpd] changing owner:group of uploaded data
Posted by Steve Swift <Sw...@swiftys.org.uk>.
This certainly sounds like a situation for SUEXEC.
However, if you need the apache server to assign files to arbitrary
user:group then there are two ways that I know of:
1. You could create a SUDO entry which allows apache to use the
chown/chgrp command AS root
2. You could create a program to issue the chown/chgrp commands and use
the SETUID bit so that it executes as root.
In the first case, the SUDO entry should be restricted to your apache ID
In the second case, the process is controlled by a program that you
control, so you can add any security that you wish. I'd start by having the
program verify that it is, indeed, running under the apache userid,
whatever that is in your case.
On 4 March 2012 21:57, Mark Montague <ma...@catseye.org> wrote:
> On March 4, 2012 12:33 , Wolfgang Laun <wo...@gmail.com> wrote:
>
>> A CGI script creates a file; it should also change it's "natural" owner
>> and group (daemon.daemon) to the one of the (authenticated) requesting
>> user. Several users should be able to do that. Having read the Apache 2.4
>> documentation on Suexec I have the impression that this isn't possible at
>> all. Is this correct or did I miss something?
>>
>
> Only root can change the owner of a file. So if a CGI needs to change the
> owner of a file that it creates, the CGI would have to be run as root (very
> dangerous, do not do this) or it would have to use a set-uid helper script
> to change the owner. Suexec cannot change the owner of a file created by a
> CGI, because it will not know what files the CGI creates.
>
> I think what you want is to run the CGI as the user who is authenticated.
> Then any files created by the CGI will be owned by the user who is
> authenticated. Does this sound right?
>
> For more information, see https://wiki.apache.org/httpd/**
> PrivilegeSeparation <https://wiki.apache.org/httpd/PrivilegeSeparation>
>
> --
> Mark Montague
> mark@catseye.org
>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.org<us...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Steve Swift
http://www.swiftys.org.uk
Re: [users@httpd] changing owner:group of uploaded data
Posted by Mark Montague <ma...@catseye.org>.
On March 4, 2012 12:33 , Wolfgang Laun <wo...@gmail.com> wrote:
> A CGI script creates a file; it should also change it's "natural"
> owner and group (daemon.daemon) to the one of the (authenticated)
> requesting user. Several users should be able to do that. Having read
> the Apache 2.4 documentation on Suexec I have the impression that this
> isn't possible at all. Is this correct or did I miss something?
Only root can change the owner of a file. So if a CGI needs to change
the owner of a file that it creates, the CGI would have to be run as
root (very dangerous, do not do this) or it would have to use a set-uid
helper script to change the owner. Suexec cannot change the owner of a
file created by a CGI, because it will not know what files the CGI creates.
I think what you want is to run the CGI as the user who is
authenticated. Then any files created by the CGI will be owned by the
user who is authenticated. Does this sound right?
For more information, see https://wiki.apache.org/httpd/PrivilegeSeparation
--
Mark Montague
mark@catseye.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org