>>Given the modularity of the Unix security model, the only way to do >>this generally will be to make your CGI program setuid root and do some >>voodoo on Apache to allow it to execute such things.
You're right. Setting the uid of the CGI program to root is way too dangerous. Besides, I am already forced to run Apache as user "oracle" to allow my CGI program to access the shared OCI libraries and the Oracle environment. >>The very thought >>of doing this sends cold shivers up my spine being someone who worries a >>lot about security, so be SURE that that's the only way to do what you >>need to do! Maybe there's an approach that will not require privileged >>actions that you can try that will do the job. On Windows, I've done this using ISAPI on IIS. Basically, my ISAPI runs under the IIS web user but I am able to programatically login as Administrator, switch privileges, do whatever I needed to do, then logoff the Administrator. All this takes about a split second so security really isn't too much of an issue. Does UNIX support this functionality? >>I'll also urge you to reconsider the use of C/C++ >>for this purpose, as they were not designed for convenient and secure >>CGI programming. It's easy to make mistakes that can lead to fatal >>security errors with these languages. I would suggest you use Perl or >>Python instead to do your CGI work. Can't teach an old dog new tricks. Besides, using C/C++ simplifies our multi-platform/native database access approach to development. _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
