Date: Thu, 14 Nov 2002 10:02:04 -0500 From: Anthony Schneider <anthony@x-anthony.com> To: Eric Anderson <anderson@centtech.com> Cc: Kirk Bailey <idiot1@netzero.net>, "security@FreeBSD.ORG" <security@FreeBSD.ORG> Subject: Re: list scripts, permissions, and ownerships. Message-ID: <20021114150204.GA20990@x-anthony.com> In-Reply-To: <3DD3A5E7.8020908@centtech.com> References: <Pine.LNX.4.44.0211140848220.9334-100000@serendipity.ksemat.co.ug> <3DD33DA6.55DB03A@netzero.net> <3DD3A5E7.8020908@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
suexec executes cgi scripts as the owning user. the idea (very briefly) is to get around mutual "nobody" ownership of files and such. as for the original question, from "scripts" there are many ways to get your uid. system commands: whoami, id bash/zsh: echo $UID csh/tcsh (not so certain about csh...): echo $uid perl: print $< . "\n"; i'm sure that python, tcl, ruby and others have methods along the lines of a getuid() call. i believe in python you can import OS and getuid(). something to keep in consideration is the existence of the effective uid, which can generally be reached by similar methods, like geteuid(), or echo $EUID. -Anthony. On Thu, Nov 14, 2002 at 07:32:23AM -0600, Eric Anderson wrote: > Kirk Bailey wrote: > >oops. I quote: > > > > 7.Is the target user NOT superuser? > > > > Presently, suEXEC does not allow 'root' to execute CGI/SSI > > programs. > > > >Alas, the file appears to be owned by root. Now what? > > > I'm assuming by "owned by root" you mean setuid bit is on and the > ownership is root? Just making a file owned by root doesn't make it run > as root. If you DID have the setuid bit on, and it IS root owned, you > are in dangerous waters. It's not really a great idea to have suid root > programs running from a web site - all it takes is for you to miss one > thing and the "evil hacker" has root access on your box, instead of just > access as "nobody". > > The nobody user should be able to read the aliases file just fine with > no extra permissions. > > Eric > > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > Beware the fury of a patient man. > ------------------------------------------------------------------ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021114150204.GA20990>