> > Inside the script, for Unixes, we perform an su -u $user -c > > Isn't that 'install and run as a given user', which I thought you said you > didn't want to do ?
No. That's install as root, start as root, and as root when Su'ing to a given user with less than root privs. This means that when you execute the script the command syntax is: Root: execute script Root: run command su $RUNTIME_USER -s /bin/sh -c "COMMAND" After that, the process is started as $RUNTIME_USER and root "exits" because we used nohup to fork off as a daemon. However... Solaris *DOES NOT* support "-s /bin/sh" when running su. Therefor, the command executed looks like: su $RUNTIME_USER -c "COMMAND" Therefore, the user needs a shell. The difference between this, and the JRun scenario is that I would need to login and install JRun as the NOBODY user, and start it manually as NOBODY. I don't get a script that attempts to bypass it. > Uh huh, and so it must run with the priv's of the Jrun user, which should > have as little permissions as possible ? Why does Jrun require a shell is > the next question I guess... .. See above. > It is. The correct method is to start as a priviledged user, bind to port > 80 > (or whatever), then drop priv's and fork 'nobody' children. This is how > sshd > works, for instance. > If Jrun does not behave like this, and so coldfusion does not behave like > this, then fine, we should go shout at the Jrun people :-) > Yeah, SSHD, Apache, everyone else is also written in C++ and run SUID. Re-read my previous posts on why this was not an option. > Which sounds like a sane plan. It's just some people have got this very > tight requirement. > I suppose they could just create an account that was functionaly > equivalent > to not having an account, demonstrate that, and use that account maybe ? Yes, they have a tight requirement. I am examining the situation. > (to all) What about using sudo instead ? > We're only running MX on an IIS test bed, atm, otherwise I'd go and thrash > it myself :-) SUDO has the same problem. We can't have the script prompt for a password, and the command STILL needs a valid target shell to run. You *NEED* a shell to run a command. <---- -Jesse Noller MAcromedia ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting.
