You are viewing a plain text version of this content. The canonical link for it is here.

Posted to test-dev@httpd.apache.org by Stas Bekman <st...@stason.org> on 2003/10/25 10:19:33 UTC

Re: Apache-Test/lib/Apache/TestRun.pm

Joe Ratterman wrote:
> Sorry about this rather informal email, but I was having an issue with a
> patch to mod-perl that appears to have been submitted/commited by you. 

But please post any question re: Apache-Test to the test-dev list. Thank you.

> It modified the file Apache-Test/lib/Apache/TestRun.pm to use 'su'
> instead of 'sudo'.
> 
> My version of 'su' (slackware 9.0 Linux) does not appear to like the
> '-m' flag for su, nor does the man page list any such flag.  The
> alteration works fine if the 'm' is removed (leaving the '-').
> 
> I am suggesting the change; if I am wrong or you need a different
> format, please let me know.

Sorry about that, Joe. I thought it was portable.

Anybody knows a portable way to su to a different user and check whether a 
given dir is rwx by that user? The only alternative solution I can think of is 
to traverse the whole path and check the perms on each directory. which 
involves checking of whether the user belongs to the group the dirs are 
permitted to rxw. Can that be made portable?

> % cvs diff ./Apache-Test/lib/Apache/TestRun.pm                      
> Index: ./Apache-Test/lib/Apache/TestRun.pm
> ===================================================================
> RCS file:
> /home/cvspublic/httpd-test/perl-framework/Apache-Test/lib/Apache/TestRun.pm,v
> retrieving revision 1.119
> diff -r1.119 TestRun.pm
> 803c803
> <     my $check = qq[su -m $user -c '$perl -e ] .
> ---
> 
>>    my $check = qq[su - $user -c '$perl -e ] .

I'm quite sure that it won't work on some other platform/distro :(

__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

Re: Apache-Test/lib/Apache/TestRun.pm

Posted by Stas Bekman <st...@stason.org>.

Vivek Khera wrote:
>>>>>>"SB" == Stas Bekman <st...@stason.org> writes:
> 
> 
> SB> perl -e 'require POSIX; POSIX::setuid(65534); POSIX::setgid(65534); \
> SB>           print -r q{/tmp} &&  -w _ && -x _ ? q{OK} : q{NOK}; '
> 
> 
> Since when is user nobody hardwired to UID 65534?  I never saw POSIX
> mandate that.

It's not hardwired. It's what's happened to run on my machine. It's just a 
printout of the command that was run.

__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

Re: Apache-Test/lib/Apache/TestRun.pm

Posted by Vivek Khera <kh...@kcilink.com>.

>>>>> "SB" == Stas Bekman <st...@stason.org> writes:

SB> perl -e 'require POSIX; POSIX::setuid(65534); POSIX::setgid(65534); \
SB>           print -r q{/tmp} &&  -w _ && -x _ ? q{OK} : q{NOK}; '


Since when is user nobody hardwired to UID 65534?  I never saw POSIX
mandate that.

Re: Apache-Test/lib/Apache/TestRun.pm

Posted by Stas Bekman <st...@stason.org>.

So instead of the 'su' trick we could try to traverse the path and check each 
directory whether it's rwx by user/group Apache is run with.

It's not enough to check that the dir is rwx by user or all, but need to check 
also whether 'nobody' is in the group which is rwx. As we may have:

drwx------ nobody   whatever /foo # explicit group match
drwxrwx--- whatever nobody   /foo # explicit group match
drwxrwx--- whatever web      /foo # is nobody in the group 'web'
drwxrwxrwx whatever whatever /foo # always good

Also we may have to deal with .acl filesystems supporting .acl where the above 
logic won't apply. Therefore I came up with a very trivial test not relying on 
any external apps (and hopefully this time portable) and filesystem perms specs:

perl -e 'require POSIX; POSIX::setuid(65534); POSIX::setgid(65534); \
          print -r q{/tmp} &&  -w _ && -x _ ? q{OK} : q{NOK}; '

Please let me know if you have any problems with it. I've committed this 
solution, so you can try with the current cvs.

__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com