Daniel Itaborai wrote:

vc nao consegue fazer o suexec rodar como root ... leia as restricoes
na documentacao do apache ... sao muitas

Daniel Lemos Itaborai

FreeBSD® Hack <[EMAIL PROTECTED]> wrote:
Tiago Ghisi wrote:



Preciso roda uma aplicacao via apache, sendo que ela tem que se
executada via super usuario, existe maneira de roda o apache como
root, ou algum script, e qual seria o script pode ser em php, nao sei,
para que o usuario que estiver rodando o apache virar super usuario?



------------------------------------------------------------------------

_______________________________________________________________
Para enviar um novo email para a lista: freebsd@fug.com.br
Sair da Lista: http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/



Isto deve resolver:


Use the --enable-suexec option to enable the suEXEC feature by building
and installing the "suexec" support program. Use --suexec-caller=UID to
set the allowed caller user id, --suexec-userdir=DIR to set the user subdirectory, --suexec-docroot=DIR to set the suexec root directory,
--suexec-uidmin=UID/--suexec-gidmin=GID to set the minimal allowed
UID/GID, --suexec-logfile=FILE to set the logfile and
--suexec-safepath=PATH to set the safe shell PATH for the suEXEC
feature. At least one --suexec-xxxxx option has to be provided together
with the --enable-suexec option to let APACI accept your request for
using the suEXEC feature.


CAUTION: FOR DETAILS ABOUT THE SUEXEC FEATURE WE HIGHLY RECOMMEND YOU TO
FIRST READ THE DOCUMENT htdocs/manual/suexec.html BEFORE USING
THE ABOVE OPTIONS.


USING THE SUEXEC FEATURE PROPERLY CAN REDUCE CONSIDERABLY THE
SECURITY RISKS INVOLVED WITH ALLOWING USERS TO DEVELOP AND RUN
PRIVATE CGI OR SSI PROGRAMS. HOWEVER, IF SUEXEC IS IMPROPERLY
CONFIGURED, IT CAN CAUSE ANY NUMBER OF PROBLEMS AND POSSIBLY
CREATE NEW HOLES IN YOUR COMPUTER'S SECURITY. IF YOU AREN'T FAMILIAR WITH MANAGING SETUID ROOT PROGRAMS AND THE SECURITY ISSUES THEY PRESENT, WE HIGHLY RECOMMEND THAT YOU NOT CONSIDER
USING SUEXEC AND KEEP AWAY FROM THESE OPTIONS!



_______________________________________________________________ Para enviar um novo email para a lista: freebsd@fug.com.br Sair da Lista: http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

                
---------------------------------
Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador do Yahoo! 
agora.
_______________________________________________________________
Para enviar um novo email para a lista: freebsd@fug.com.br
Sair da Lista: http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/





Faz o seguinte:

(CHANGES do APACHE)
*) SECURITY: Apache will refuse to run as "User root" unless
BIG_SECURITY_HOLE is defined at compile time. [Dean Gaudet]
--------------------


Compila o apache com o DEFINE: BIG_SECURITY_HOLE e seta o UID dele para root
ai roda..

veja: Server version: Apache/1.3.31 (Unix)
Server built:   Sep 19 2003 13:50:23
Server's Module Magic Number: 19990320:10
Server compiled with....
-D EAPI
-D BIG_SECURITY_HOLE
-D HAVE_MMAP
-D USE_MMAP_SCOREBOARD
-D USE_MMAP_FILES
-D USE_FLOCK_SERIALIZED_ACCEPT
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D HTTPD_ROOT="/usr/local/intranet/apache"
-D SUEXEC_BIN="/usr/local/intranet/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/httpd.scoreboard"
-D DEFAULT_LOCKFILE="logs/httpd.lock"
-D DEFAULT_XFERLOG="/usr/local/intranet/log/httpd/access_log"
-D DEFAULT_ERRORLOG="/usr/local/intranet/log/httpd/error_log"
-D TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
-D ACCESS_CONFIG_FILE="conf/access.conf"
-D RESOURCE_CONFIG_FILE="conf/srm.conf"

Este é meu servidor da Intranet rodando como ROOT!

parte do HTTPD_CORE.C

"#if !defined (BIG_SECURITY_HOLE) && !defined (OS2)
if (cmd->server->server_uid == 0) {
fprintf(stderr,
"Error:\tApache has not been designed to serve pages while\n"
"\trunning as root. There are known race conditions that\n"
"\twill allow any local user to read any file on the system.\n"
"\tIf you still desire to serve pages as root then\n"
"\tadd -DBIG_SECURITY_HOLE to the EXTRA_CFLAGS line in your\n"
"\tsrc/Configuration file and rebuild the server. It is\n"
"\tstrongly suggested that you instead modify the User\n"
"\tdirective in your httpd.conf file to list a non-root\n"
"\tuser.\n");
exit (1);
}
#endif


"

resumindo...

./configure -DBIG_SECURITY_HOLE --server-uid=root --server-gid=wheel bla bla bla bala... suas configurações!

Boas brincadeiras ai!

ps: documentação do apache é o que não falta mesmo!



_______________________________________________________________
Para enviar um novo email para a lista: freebsd@fug.com.br
Sair da Lista: http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Responder a