Hi Joseph - > -----Original Message----- > From: R. Joseph Newton [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 20, 2003 8:08 PM > To: Beau E. Cox > Cc: 'Beginners > Subject: Re: 'Becoming' another user > > > "Beau E. Cox" wrote: > > > Hi - > > > > I have a script (simple server) that can be used by > > others remote to me. For security I would like to > > 'become' (assume the permissions) of a specified, > > under-privileged user before listening to the > > outside world - much like Apache 'becomes' the > > user/group specified in the http.conf file. > > > > I admit, I'm lost... CPAN 'user' modules seem to > > concentrate on looking at/manipulating users, > > not changing into one. > > > > I would like to do this in a 'portable' way, > > (nix and Win32). > > > > Before I delve into the Apache source, is there > > somewhere else to look? > > > > Aloha => Beau; > > Hi Beau, > > Is this CGI? If so, you should definitely not have to > artificially reduce privileges. Web clients generally are > treated as the world or Everyone object, with lowest privileges. > Your script itself should have the level of privileges which its > group is entitled to. For instance, if I have a private folder > adjacent to my web folder, the material therein will not be > available to the web user directly. But my script will be able > to access it and mediate any changes made in response to user input.
No - not CGI - it's a HTTP server... > > Somehow, it seems to me that this leaves it to the application to > determine which options to offer any given user. For that > purpose, you would probably want to use the admin software. > > As for providing elevated privileges for logged-in users, I know > that NT systms do have a Run As... feature, so there should be a > Perl interface to that out there. > > Joseph > I have almost got a handle on my problem. I have been testing my little server by just executing it in a cmd.exe box (Win32) or xterm (Linux). I can play with UID, setuid, etc in Linux to lower privileges during the test. But on Win32, it looks like I must _always_ run it as a service using "Run As..." to lower privileges. So what I've come up with is logic to refeuse all non-local connections unless running as a service; that allows me to debug, etc. from a command prompt during development w/o worring about Joe Hacker... Sometimes I wish we lived in a kinder, gentler world, where we could be online to the world without worrying about, err..., everything... Aloha => Beau; -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
