From owner-freebsd-questions Fri Sep 6 02:03:05 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id CAA06624 for questions-outgoing; Fri, 6 Sep 1996 02:03:05 -0700 (PDT) Received: from seabass.progroup.com (catfish.progroup.com [206.24.122.2]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id CAA06617 for ; Fri, 6 Sep 1996 02:02:59 -0700 (PDT) Received: (from craig@localhost) by seabass.progroup.com (8.7.5/8.6.12) id CAA02213; Fri, 6 Sep 1996 02:03:20 -0700 (PDT) Message-Id: <199609060903.CAA02213@seabass.progroup.com> Subject: Re: suidperl from httpd not working To: paul@nation-net.com (Paul Walsh) Date: Fri, 6 Sep 1996 02:03:20 -0700 (PDT) From: "Craig Shaver" Cc: questions@freebsd.org Reply-To: questions@freebsd.org In-Reply-To: <322EC149.F3D@nation-net.com> from "Paul Walsh" at Sep 5, 96 01:02:17 pm X-Mailer: ELM [version 2.4 PL25 ME8b] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Is there any way an httpd user (nobody) can run a setuid perl script through > cgi? Does it have to be a 'real' user. > > Cheers, Paul > -- > paul@nation-net.com Walsh Simmons > 0161-839 9337 Manchester, UK > Yes, I have done it using a wrapper program. Here is a copy of that program from the vend ver 0.2 shopping cart. ========================================== /v/unix/inet/http/vend/0.2/vend-0.2/svend.c ========================================== #define CGIUSER 60001 #define PERL "/u/local/bin/perl" #define VEND "/u/local/etc/httpd/vend/vend.pl" #include #include #include #include #include #ifdef PATCHED_OUT #ifdef sun int sys_nerr; char* sys_errlist[]; #define NEED_STRERROR #endif #endif #ifdef NEED_STRERROR static char* strerror(e) int e; { if (e == 0) return "System call failed but errno not set"; else if (e < 1 || e >= sys_nerr) return "No description available for this error"; else return sys_errlist[e]; } #endif int main(argc, argv) int argc; char** argv; { uid_t euid; gid_t egid; int r; if (getuid() != CGIUSER) { printf("Content-type: text/plain\n\n"); printf("SVEND must be run from HTTPD. (Check CGIUSER in svend.c)\n"); exit(1); } euid = geteuid(); #if defined BSD r = setreuid( euid, euid ); #else r = setuid (euid); #endif if (r == -1) { printf("Content-type: text/plain\n\n"); printf("Could not set uid: %s\n", strerror(errno)); exit(1); } egid = getegid(); #if defined BSD r = setregid( egid, egid ); #else r = setgid (euid); #endif if (r == -1) { printf("Content-type: text/plain\n\n"); printf("Could not set gid: %s\n", strerror(errno)); exit(1); } #if defined DEBUG printf("Content-type: text/plain\n\n"); printf("euid = %d, egid = %d\n", euid, egid); exit(1); #endif execl(PERL, PERL, VEND, 0); printf("Content-type: text/plain\n\n"); printf("Could not exec %s: %s", PERL, strerror(errno)); exit(1); } ========================================== /v/unix/inet/http/vend/0.2/vend-0.2/svend.c ========================================== -- Craig Shaver (craig@progroup.com) (415)390-0654 Productivity Group POB 60458 Sunnyvale, CA 94088