From owner-freebsd-questions Thu Sep 5 05:46:11 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA12075 for questions-outgoing; Thu, 5 Sep 1996 05:46:11 -0700 (PDT) Received: from garion.hq.ferg.com (pm1-01.wmbg.widomaker.com [204.17.220.101]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA12062 for ; Thu, 5 Sep 1996 05:46:08 -0700 (PDT) Received: from garion.hq.ferg.com (localhost.hq.ferg.com [127.0.0.1]) by garion.hq.ferg.com (8.7.5/8.6.12) with SMTP id IAA10734; Thu, 5 Sep 1996 08:45:56 -0400 (EDT) Date: Thu, 5 Sep 1996 08:45:54 -0400 (EDT) From: Branson Matheson X-Sender: branson@garion.hq.ferg.com To: Paul Walsh cc: questions@freebsd.org Subject: Re: suidperl from httpd not working In-Reply-To: <322EC149.F3D@nation-net.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 5 Sep 1996, Paul Walsh wrote: > Is there any way an httpd user (nobody) can run a setuid perl script through > cgi? Does it have to be a 'real' user. This is a bad idea security wise. It would be much better if you were to create a seperate user/httpd pair and run it like that. For instance, I am using a DNS Perl program that handles my DNS maps for me. It has a web interface, so I create a user called nsadmin and a group nsadmin. I make all the relevant files owned by that pair and run httpd as that user. For things that have to be done as root, ( named.restart ) , I use a cronjob that checks to see if a .reboot file exists. -branson ============================================================================= Branson Matheson | Ferguson Enterprises | If Pete and Repeat were System Administrator | W: (804) 874-7795 | sittin on a fence and Pete Unix, Perl, WWW | branson@widomaker.com | fell off, who is left?