You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by Joe Bifano <bi...@msn.com> on 2002/01/21 20:26:39 UTC

Cgi permission Questions

Hi all,

My first time on the list.  I have been looking at the archives but am not
able to find anything on this.

I have 3 web servers, 1 development/nfs server and 2 database mysql servers
in a cluster server farm.  All sites are owned by our company so nobody will
be on the system except for me.  It is behind a firewall and a load-balancer
so it is pretty secure.

I have several domains set up on the site called test.company.com,
demo.company.com, stage.company.com and company.com.  company.com is only on
the 3 web servers and all the rest is on the development server.

I have 2 employees that will be setting up a couple of things using a cgi
script called create.pl on test.company.com.  When this script is run it has
to create new test companies or demo companies.

Here is the problem:  create.pl is owned by test and group test and has file
permissions 755.  When the create.pl script is run it becomes owner apache
and group apache and has to create new files and directories on the machine.
All of the new files and directories  then become owner apache and group
apace.  I need them to stay as owner test and group test.

I have used SuExec before and know that it will call create.pl and then
become owner test rather than owner apache but would like to know if there
was a different way to do this.  The main reason for me not wanting to use
SuExec is because I want to learn and implement mod_perl and HTML::MASON for
this site down the road.

Thanks for you reply's in advance.

Joe

Re: Cgi permission Questions

Posted by oscar <os...@fondos.net>.

----- Original Message -----
From: "Joe Bifano" <bi...@msn.com>
To: <mo...@apache.org>
Sent: Monday, January 21, 2002 8:26 PM
Subject: Cgi permission Questions


> Hi all,
>
> My first time on the list.  I have been looking at the archives but am not
> able to find anything on this.
>
> I have 3 web servers, 1 development/nfs server and 2 database mysql
servers
> in a cluster server farm.  All sites are owned by our company so nobody
will
> be on the system except for me.  It is behind a firewall and a
load-balancer
> so it is pretty secure.
>
> I have several domains set up on the site called test.company.com,
> demo.company.com, stage.company.com and company.com.  company.com is only
on
> the 3 web servers and all the rest is on the development server.
>
> I have 2 employees that will be setting up a couple of things using a cgi
> script called create.pl on test.company.com.  When this script is run it
has
> to create new test companies or demo companies.
>
> Here is the problem:  create.pl is owned by test and group test and has
file
> permissions 755.  When the create.pl script is run it becomes owner apache
> and group apache and has to create new files and directories on the
machine.
> All of the new files and directories  then become owner apache and group
> apace.  I need them to stay as owner test and group test.


Ummm I'm not completly sure, but if you activate the suid on create.pl, then
create.pl will be executed as test and not as apache. And I think all files
create.pl creates, also will own test:test
chmod u+s create.pl
that command will give create.pl the suid.



>
> I have used SuExec before and know that it will call create.pl and then
> become owner test rather than owner apache but would like to know if there
> was a different way to do this.  The main reason for me not wanting to use
> SuExec is because I want to learn and implement mod_perl and HTML::MASON
for
> this site down the road.
>
> Thanks for you reply's in advance.
>
> Joe
>
>

Re: Cgi permission Questions

Posted by Perrin Harkins <pe...@elem.com>.

> Here is the problem:  create.pl is owned by test and group test and
has file
> permissions 755.  When the create.pl script is run it becomes owner
apache
> and group apache and has to create new files and directories on the
machine.
> All of the new files and directories  then become owner apache and
group
> apace.  I need them to stay as owner test and group test.

There is some information on SuExec in the guide:
http://thingy.kcilink.com/modperlguide/install/Is_it_possible_to_run_mod
_perl_e.html

One possible solution for this with mod_perl is to run a separate server
that just handles this script, and start that server as the proper user.

- Perrin

Re: [OT] Cgi permission Questions

Posted by Robert Landrum <rl...@capitoladvantage.com>.

At 12:26 PM -0700 1/21/02, Joe Bifano wrote:
>Hi all,
>
>My first time on the list.  I have been looking at the archives but am not
>able to find anything on this.
>
>I have 3 web servers, 1 development/nfs server and 2 database mysql servers
>in a cluster server farm.  All sites are owned by our company so nobody will
>be on the system except for me.  It is behind a firewall and a load-balancer
>so it is pretty secure.
>
>I have several domains set up on the site called test.company.com,
>demo.company.com, stage.company.com and company.com.  company.com is only on
>the 3 web servers and all the rest is on the development server.
>
>I have 2 employees that will be setting up a couple of things using a cgi
>script called create.pl on test.company.com.  When this script is run it has
>to create new test companies or demo companies.
>
>Here is the problem:  create.pl is owned by test and group test and has file
>permissions 755.  When the create.pl script is run it becomes owner apache
>and group apache and has to create new files and directories on the machine.
>All of the new files and directories  then become owner apache and group
>apace.  I need them to stay as owner test and group test.


This is a little bit offtopic, since it about permissions and not 
really about mod_perl, but here goes:

You want to use the build-in perl function chown.

chown((getpwname('test'))[2,3],@files_to_chown);

You should not have to suexec if the files you're attempting to chown 
are owned by apache/apache.

Rob


--
When I used a Mac, they laughed because I had no command prompt. When 
I used Linux, they laughed because I had no GUI.

Re: Cgi permission Questions

Posted by Joe Bifano <bi...@msn.com>.

Stephen,

I know that this is for perl and mod_perl BUT in my question if you looked I
specificaly said that we want to upgrade and impleiment our site to mod_perl
using HTML::MASON.  With saying that , I wanted to make sure that if I made
some changes to my Apache setup now , I want to make sure that it will work
using our new mod_perl setup in the future.  I am pretty sure that you can
not use SuExec with mod_perl so I wanted to find out from all the good
mod_perl programmers out there before hand.  Who wants to set up a server
with SuExec and then set up one with mod_perl and have to change all kinds
of permission problems.  It's hard enought to change all the scripts to
mod_perl anyway.  If this has no relavence then you did not read my email or
understand it.
----- Original Message -----
From: "Stephen Reppucci" <sg...@logsoft.com>
To: "Joe Bifano" <bi...@msn.com>
Cc: <mo...@apache.org>
Sent: Monday, January 21, 2002 4:11 PM
Subject: Re: Cgi permission Questions


>
> On Mon, 21 Jan 2002, Joe Bifano wrote:
>
> > Hi all,
> >
> > My first time on the list.  I have been looking at the archives but am
not
> > able to find anything on this.
>
> Exactly.  Because this list is about perl, specifically mod_perl,
> while your question is about Apache, and its configuration.
>
> Please don't ask questions here which have no relevance.  There are
> other lists that discuss these issues.
>
> Please visit http://www.apache.org/httpd/, where there is a wealth
> of great documentation put together through the effort of volunteers
> to answer exactly this question.
>
> --
> Steve Reppucci                                       sgr@logsoft.com |
> Logical Choice Software                          http://logsoft.com/ |
> =-=-=-=-=-=-=-=-=-=-  My God!  What have I done?  -=-=-=-=-=-=-=-=-=-=
>
>

Re: Cgi permission Questions

Posted by Stephen Reppucci <sg...@logsoft.com>.

On Mon, 21 Jan 2002, Joe Bifano wrote:

> Hi all,
>
> My first time on the list.  I have been looking at the archives but am not
> able to find anything on this.

Exactly.  Because this list is about perl, specifically mod_perl,
while your question is about Apache, and its configuration.

Please don't ask questions here which have no relevance.  There are
other lists that discuss these issues.

Please visit http://www.apache.org/httpd/, where there is a wealth
of great documentation put together through the effort of volunteers
to answer exactly this question.

-- 
Steve Reppucci                                       sgr@logsoft.com |
Logical Choice Software                          http://logsoft.com/ |
=-=-=-=-=-=-=-=-=-=-  My God!  What have I done?  -=-=-=-=-=-=-=-=-=-=