You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by James G Smith <JG...@TAMU.Edu> on 2002/03/25 22:17:06 UTC

Re: Permission conflict between mod_cgi and mod_perl

merlyn@stonehenge.com (Randal L. Schwartz) wrote:
>>>>>> "Jim" == Jim Smith <jg...@moya.tamu.edu> writes:
>
>Jim> Basically, mod_perl can run scripts in the same manner as any other
>Jim> unix program.
>
>Maybe we're getting hung up on details, but "mod_perl" is not a "unix
>program".  It's a module for Apache.  Therefore, "in the same manner"
>is no longer applicable.
>
>mod_cgi forks to run processes.
>
>mod_perl doesn't fork.
>
>mod_perl can run Perl code via the embedded Perl interpreter, and this
>interpreter can cause a fork.  But mod_perl doesn't inherently fork at
>all.
>
>And the distinction is important, especially in the context of
>this discussion (setuid with "mod_perl").

And the sky isn't blue, but the results are the same.

mod_perl can't run scripts.

Scripts can be run from mod_perl.

More than that, set-uid scripts can be run from mod_perl and offer
one of the better ways of doing things that require root privileges.
-- 
James Smith <JG...@TAMU.Edu>, 979-862-3725
Texas A&M CIS Operating Systems Group, Unix

Re: Permission conflict between mod_cgi and mod_perl

Posted by Ilya Martynov <il...@martynov.org>.

>>>>> On Mon, 25 Mar 2002 15:17:06 -0600, James G Smith <JG...@TAMU.Edu> said:

JS> And the sky isn't blue, but the results are the same.

JS> mod_perl can't run scripts.

JS> Scripts can be run from mod_perl.

JS> More than that, set-uid scripts can be run from mod_perl and offer
JS> one of the better ways of doing things that require root privileges.

Results are not same. Basically Apache::Registry (handler used with
mod_perl to emulate execution of scripts) just opens file which
contains script, evals it as big subroutine and calls that
subroutine. Opening and reading set-uid file which contains script
doesn't give automagically root rights to instance of apache process
which handles request.

-- 
o    Ilya Martynov => http://martynov.org/    o
o    TIV.net       => http://tiv.net/         o

Re: Permission conflict between mod_cgi and mod_perl

Posted by Robert Landrum <rl...@capitoladvantage.com>.

At 3:17 PM -0600 3/25/02, James G Smith wrote:
>
>And the sky isn't blue, but the results are the same.
>
>mod_perl can't run scripts.
>
>Scripts can be run from mod_perl.
>
>More than that, set-uid scripts can be run from mod_perl and offer
>one of the better ways of doing things that require root privileges.

Oh how I hate to interrupt a good flame war, especially one that 
Randal is involved in, but wouldn't it be possible to run apache 
(with mod perl) as set-uid but listening only on 127.0.0.1:81.  They 
just establish a proxy connection to the backend setuid apache?

Rob

--
When I used a Mac, they laughed because I had no command prompt. When 
I used Linux, they laughed because I had no GUI.