putz ... gostei do nome "BIG_SECURITY_HOLE" 

... aprendi uma coisa que nao sabia hj
hehehe

valeuz

Daniel Lemos Itaborai


 --- FreeBSD® Hack <[EMAIL PROTECTED]> escreveu: 
> Daniel Itaborai wrote:
> 
> >vc nao consegue fazer o suexec rodar como root ...
> leia as restricoes
> >na documentacao do apache ... sao muitas
> > 
> >Daniel Lemos Itaborai
> >
> >FreeBSD® Hack <[EMAIL PROTECTED]> wrote:
> >Tiago Ghisi wrote:
> >
> >  
> >
> >>Preciso roda uma aplicacao via apache, sendo que
> ela tem que se
> >>executada via super usuario, existe maneira de
> roda o apache como
> >>root, ou algum script, e qual seria o script pode
> ser em php, nao sei,
> >>para que o usuario que estiver rodando o apache
> virar super usuario?
> >>
> >>
> >>
>
>>------------------------------------------------------------------------
> >>
>
>>_______________________________________________________________
> >>Para enviar um novo email para a lista:
> freebsd@fug.com.br
> >>Sair da Lista:
>
http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
> >>Historico:
> http://www4.fugspbr.org/lista/html/FUG-BR/
> >>
> >>    
> >>
> >Isto deve resolver:
> >
> >
> >Use the --enable-suexec option to enable the suEXEC
> feature by building
> >and installing the "suexec" support program. Use
> --suexec-caller=UID to
> >set the allowed caller user id,
> --suexec-userdir=DIR to set the user 
> >subdirectory, --suexec-docroot=DIR to set the
> suexec root directory,
> >--suexec-uidmin=UID/--suexec-gidmin=GID to set the
> minimal allowed
> >UID/GID, --suexec-logfile=FILE to set the logfile
> and
> >--suexec-safepath=PATH to set the safe shell PATH
> for the suEXEC
> >feature. At least one --suexec-xxxxx option has to
> be provided together
> >with the --enable-suexec option to let APACI accept
> your request for
> >using the suEXEC feature.
> >
> >CAUTION: FOR DETAILS ABOUT THE SUEXEC FEATURE WE
> HIGHLY RECOMMEND 
> >YOU TO
> >FIRST READ THE DOCUMENT htdocs/manual/suexec.html
> BEFORE USING
> >THE ABOVE OPTIONS.
> >
> >USING THE SUEXEC FEATURE PROPERLY CAN REDUCE
> CONSIDERABLY THE
> >SECURITY RISKS INVOLVED WITH ALLOWING USERS TO
> DEVELOP AND RUN
> >PRIVATE CGI OR SSI PROGRAMS. HOWEVER, IF SUEXEC IS
> IMPROPERLY
> >CONFIGURED, IT CAN CAUSE ANY NUMBER OF PROBLEMS AND
> POSSIBLY
> >CREATE NEW HOLES IN YOUR COMPUTER'S SECURITY. IF
> YOU 
> >AREN'T 
> >FAMILIAR WITH MANAGING SETUID ROOT PROGRAMS AND THE
> SECURITY 
> >ISSUES THEY PRESENT, WE HIGHLY RECOMMEND THAT YOU
> NOT CONSIDER
> >USING SUEXEC AND KEEP AWAY FROM THESE OPTIONS!
> >
> >
>
>_______________________________________________________________
> >Para enviar um novo email para a lista:
> freebsd@fug.com.br
> >Sair da Lista:
>
http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
> >Historico:
> http://www4.fugspbr.org/lista/html/FUG-BR/
> >
> >             
> >---------------------------------
> >Yahoo! Acesso Grátis - Internet rápida e grátis.
> Instale o discador do Yahoo! agora.
>
>_______________________________________________________________
> >Para enviar um novo email para a lista:
> freebsd@fug.com.br
> >Sair da Lista:
>
http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
> >Historico:
> http://www4.fugspbr.org/lista/html/FUG-BR/
> >
> >
> >
> >  
> >
> Faz o seguinte:
> 
> (CHANGES do APACHE)
>   
>   *) SECURITY: Apache will refuse to run as "User
> root" unless
>      BIG_SECURITY_HOLE is defined at compile time. 
> [Dean Gaudet]
> --------------------
> 
> Compila o apache com o DEFINE: BIG_SECURITY_HOLE e
> seta o UID dele para root
> ai roda..
> 
> veja: Server version: Apache/1.3.31 (Unix)
> Server built:   Sep 19 2003 13:50:23
> Server's Module Magic Number: 19990320:10
> Server compiled with....
>  -D EAPI
>  -D BIG_SECURITY_HOLE
>  -D HAVE_MMAP
>  -D USE_MMAP_SCOREBOARD
>  -D USE_MMAP_FILES
>  -D USE_FLOCK_SERIALIZED_ACCEPT
>  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
>  -D HTTPD_ROOT="/usr/local/intranet/apache"
>  -D SUEXEC_BIN="/usr/local/intranet/bin/suexec"
>  -D DEFAULT_PIDLOG="logs/httpd.pid"
>  -D DEFAULT_SCOREBOARD="logs/httpd.scoreboard"
>  -D DEFAULT_LOCKFILE="logs/httpd.lock"
>  -D
>
DEFAULT_XFERLOG="/usr/local/intranet/log/httpd/access_log"
>  -D
>
DEFAULT_ERRORLOG="/usr/local/intranet/log/httpd/error_log"
>  -D TYPES_CONFIG_FILE="conf/mime.types"
>  -D SERVER_CONFIG_FILE="conf/httpd.conf"
>  -D ACCESS_CONFIG_FILE="conf/access.conf"
>  -D RESOURCE_CONFIG_FILE="conf/srm.conf"
> 
> Este é meu servidor da Intranet rodando como ROOT!
> 
> parte do HTTPD_CORE.C
> 
> "#if !defined (BIG_SECURITY_HOLE) && !defined (OS2)
>     if (cmd->server->server_uid == 0) {
>         fprintf(stderr,
>                 "Error:\tApache has not been
> designed to serve pages 
> while\n"
>                 "\trunning as root.  There are known
> race conditions that\n"
>                 "\twill allow any local user to read
> any file on the 
> system.\n"
>                 "\tIf you still desire to serve
> pages as root then\n"
>                 "\tadd -DBIG_SECURITY_HOLE to the
> EXTRA_CFLAGS line in 
> your\n"
>                 "\tsrc/Configuration file and
> rebuild the server.  It is\n"
>                 "\tstrongly suggested that you
> instead modify the User\n"
>                 "\tdirective in your httpd.conf file
> to list a non-root\n"
>                 "\tuser.\n");
>         exit (1);
>     }
> #endif
> 
> "
> 
> resumindo...
> 
> ./configure -DBIG_SECURITY_HOLE --server-uid=root
> --server-gid=wheel bla 
> bla bla bala... suas configurações!
> 
> Boas brincadeiras ai!
> 
> ps: documentação do apache é o que não falta mesmo!
> 
> 
> 
>
_______________________________________________________________
> Para enviar um novo email para a lista:
> freebsd@fug.com.br
> Sair da Lista:
>
http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
> Historico:
> http://www4.fugspbr.org/lista/html/FUG-BR/
>  

__________________________________________________
Converse com seus amigos em tempo real com o Yahoo! Messenger 
http://br.download.yahoo.com/messenger/ 

_______________________________________________________________
Para enviar um novo email para a lista: freebsd@fug.com.br
Sair da Lista: http://mail.fug.com.br/mailman/listinfo/freebsd_fug.com.br
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Responder a