From owner-freebsd-questions  Thu Apr  2 11:54:17 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA25152
          for freebsd-questions-outgoing; Thu, 2 Apr 1998 11:54:17 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from arh0300.urh.uiuc.edu (arh0300.urh.uiuc.edu [130.126.72.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA25115
          for <freebsd-questions@FreeBSD.ORG>; Thu, 2 Apr 1998 11:53:59 -0800 (PST)
          (envelope-from dannyman@arh0300.urh.uiuc.edu)
Received: (from dannyman@localhost)
	by arh0300.urh.uiuc.edu (8.8.8/8.8.5) id NAA05542;
	Thu, 2 Apr 1998 13:53:57 -0600 (CST)
Message-ID: <19980402135356.22606@arh0300.urh.uiuc.edu>
Date: Thu, 2 Apr 1998 13:53:56 -0600
From: dannyman <dannyman@sasquatch.dannyland.org>
To: chas <panda@peace.com.my>, freebsd-questions@FreeBSD.ORG
Subject: Re: How can CGI script execute root commands or edit root-owned files ?
Mail-Followup-To: chas <panda@peace.com.my>, freebsd-questions@FreeBSD.ORG
References: <3.0.32.19980403023610.009a1ad0@peace.com.my>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89i
In-Reply-To: <3.0.32.19980403023610.009a1ad0@peace.com.my>; from chas on Fri, Apr 03, 1998 at 02:13:51AM +0800
X-Loop: djhoward@uiuc.edu
X-URL: http://www.uiuc.edu/ph/www/djhoward/
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, Apr 03, 1998 at 02:13:51AM +0800, chas wrote:
> Since a CGI script is executed with Nobody's (the web
> server's) privilegies, how it can run Administrator 
> commands like useradd ?
> 
> One suggestion I've had was running the webserver
> as root but this seems to be considered
> not a good thing by and large. I was just looking
> at updating user records and DNS records in such
> a manner.

There is a "SetUID" patch you can apply to Apache seperately which will
execute CGIs under their author's ownership, assuming certain security
restrictions are met.

If you want to call a suid program from your CGI, using your CGI programme
as something of a security wrapper, I think that might work nicely too,
though I've never tried this.

-dan

-- 
  //       dannyman yori aiokomete       ||  Our Honored Symbol deserves
\\/ http://www.dannyland.org/~dannyman/  ||  an Honorable Retirement (UIUC)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message