You are viewing a plain text version of this content. The canonical link for it is here.
Posted to test-dev@httpd.apache.org by Stas Bekman <st...@stason.org> on 2003/10/25 10:19:33 UTC
Re: Apache-Test/lib/Apache/TestRun.pm
Joe Ratterman wrote:
> Sorry about this rather informal email, but I was having an issue with a
> patch to mod-perl that appears to have been submitted/commited by you.
But please post any question re: Apache-Test to the test-dev list. Thank you.
> It modified the file Apache-Test/lib/Apache/TestRun.pm to use 'su'
> instead of 'sudo'.
>
> My version of 'su' (slackware 9.0 Linux) does not appear to like the
> '-m' flag for su, nor does the man page list any such flag. The
> alteration works fine if the 'm' is removed (leaving the '-').
>
> I am suggesting the change; if I am wrong or you need a different
> format, please let me know.
Sorry about that, Joe. I thought it was portable.
Anybody knows a portable way to su to a different user and check whether a
given dir is rwx by that user? The only alternative solution I can think of is
to traverse the whole path and check the perms on each directory. which
involves checking of whether the user belongs to the group the dirs are
permitted to rxw. Can that be made portable?
> % cvs diff ./Apache-Test/lib/Apache/TestRun.pm
> Index: ./Apache-Test/lib/Apache/TestRun.pm
> ===================================================================
> RCS file:
> /home/cvspublic/httpd-test/perl-framework/Apache-Test/lib/Apache/TestRun.pm,v
> retrieving revision 1.119
> diff -r1.119 TestRun.pm
> 803c803
> < my $check = qq[su -m $user -c '$perl -e ] .
> ---
>
>> my $check = qq[su - $user -c '$perl -e ] .
I'm quite sure that it won't work on some other platform/distro :(
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
Re: Apache-Test/lib/Apache/TestRun.pm
Posted by Stas Bekman <st...@stason.org>.
Vivek Khera wrote:
>>>>>>"SB" == Stas Bekman <st...@stason.org> writes:
>
>
> SB> perl -e 'require POSIX; POSIX::setuid(65534); POSIX::setgid(65534); \
> SB> print -r q{/tmp} && -w _ && -x _ ? q{OK} : q{NOK}; '
>
>
> Since when is user nobody hardwired to UID 65534? I never saw POSIX
> mandate that.
It's not hardwired. It's what's happened to run on my machine. It's just a
printout of the command that was run.
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
Re: Apache-Test/lib/Apache/TestRun.pm
Posted by Vivek Khera <kh...@kcilink.com>.
>>>>> "SB" == Stas Bekman <st...@stason.org> writes:
SB> perl -e 'require POSIX; POSIX::setuid(65534); POSIX::setgid(65534); \
SB> print -r q{/tmp} && -w _ && -x _ ? q{OK} : q{NOK}; '
Since when is user nobody hardwired to UID 65534? I never saw POSIX
mandate that.
Re: Apache-Test/lib/Apache/TestRun.pm
Posted by Stas Bekman <st...@stason.org>.
So instead of the 'su' trick we could try to traverse the path and check each
directory whether it's rwx by user/group Apache is run with.
It's not enough to check that the dir is rwx by user or all, but need to check
also whether 'nobody' is in the group which is rwx. As we may have:
drwx------ nobody whatever /foo # explicit group match
drwxrwx--- whatever nobody /foo # explicit group match
drwxrwx--- whatever web /foo # is nobody in the group 'web'
drwxrwxrwx whatever whatever /foo # always good
Also we may have to deal with .acl filesystems supporting .acl where the above
logic won't apply. Therefore I came up with a very trivial test not relying on
any external apps (and hopefully this time portable) and filesystem perms specs:
perl -e 'require POSIX; POSIX::setuid(65534); POSIX::setgid(65534); \
print -r q{/tmp} && -w _ && -x _ ? q{OK} : q{NOK}; '
Please let me know if you have any problems with it. I've committed this
solution, so you can try with the current cvs.
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com