Re: [PHP] POSIX seteuid and similar
Curt, thanks for that, I didnt see that in the notes. A question that I havent been able to work out since reading this is... When both you and the person in the contributed notes say: make your php cgi setuid and that is ran in cgi mode that is setuid'd ... How do I setuid a CGI script? ...surely if i access it through the browser it will still execute as apache? Cheers - Original Message - From: Curt Zirzow [EMAIL PROTECTED] Newsgroups: php.general To: [EMAIL PROTECTED] Sent: Monday, July 21, 2003 5:08 AM Subject: Re: [PHP] POSIX seteuid and similar * Thus wrote David Goodchild ([EMAIL PROTECTED]): Hi, I am trying to create a small php program where I can control users processes. As far as I see I require Apache to run as root in order to do this (Note: I wish to access it via a webpage run through a browser). At the moment all pages are executed as user 'apache' (UID #48 in this case). Other than giving apache root access which i hear is a very bad thing to do, what other ways can i use the posix_seteuid() functions and the like. Any help at all will be really appreciated. There is an example in the contributed notes on the site under the posix_setuid. Baically it is a perl script that is ran in cgi mode that is setuid'd. then opens a php script that runs the setuid script. I dont see why, if you choose this method is to just bypass the perl cgi and just make your php cgi setuid. I'm not sure of any security issues in doing that but it seems better than running your whole apache server as root. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POSIX seteuid and similar
You guys can correct me if I'm wrong but I believe what is referred to here is SUEXEC. This allows a virtual domain instance to run as any specified username and group. You are not setting the UID of the script but rather any script fun for that domain. This way you don't have to chmod 777 or chgrp apache files. The virtual server instance is set to run as you (usually) and thus has the same permissions you do. You may have to compile or recompile apache to get this to work for your set up (requires you specify a path where SUEXEC files exist) among other things. hope this helps... now... any regexp's response out there? :-) On Monday, July 21, 2003, at 12:56 PM, David Goodchild wrote: Curt, thanks for that, I didnt see that in the notes. A question that I havent been able to work out since reading this is... When both you and the person in the contributed notes say: make your php cgi setuid and that is ran in cgi mode that is setuid'd ... How do I setuid a CGI script? ...surely if i access it through the browser it will still execute as apache? Cheers - Original Message - From: Curt Zirzow [EMAIL PROTECTED] Newsgroups: php.general To: [EMAIL PROTECTED] Sent: Monday, July 21, 2003 5:08 AM Subject: Re: [PHP] POSIX seteuid and similar * Thus wrote David Goodchild ([EMAIL PROTECTED]): Hi, I am trying to create a small php program where I can control users processes. As far as I see I require Apache to run as root in order to do this (Note: I wish to access it via a webpage run through a browser). At the moment all pages are executed as user 'apache' (UID #48 in this case). Other than giving apache root access which i hear is a very bad thing to do, what other ways can i use the posix_seteuid() functions and the like. Any help at all will be really appreciated. There is an example in the contributed notes on the site under the posix_setuid. Baically it is a perl script that is ran in cgi mode that is setuid'd. then opens a php script that runs the setuid script. I dont see why, if you choose this method is to just bypass the perl cgi and just make your php cgi setuid. I'm not sure of any security issues in doing that but it seems better than running your whole apache server as root. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] POSIX seteuid and similar
Hi, I am trying to create a small php program where I can control users processes. As far as I see I require Apache to run as root in order to do this (Note: I wish to access it via a webpage run through a browser). At the moment all pages are executed as user 'apache' (UID #48 in this case). Other than giving apache root access which i hear is a very bad thing to do, what other ways can i use the posix_seteuid() functions and the like. Any help at all will be really appreciated. Thanks, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] POSIX seteuid and similar
Hi, I am trying to create a small php program where I can control users processes. As far as I see I require Apache to run as root in order to do this (Note: I wish to access it via a webpage run through a browser). At the moment all pages are executed as user 'apache' (UID #48 in this case). Other than giving apache root access which i hear is a very bad thing to do, what other ways can i use the posix_seteuid() functions and the like. Any help at all will be really appreciated. Thanks, Dave -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POSIX seteuid and similar
* Thus wrote David Goodchild ([EMAIL PROTECTED]): Hi, I am trying to create a small php program where I can control users processes. As far as I see I require Apache to run as root in order to do this (Note: I wish to access it via a webpage run through a browser). At the moment all pages are executed as user 'apache' (UID #48 in this case). Other than giving apache root access which i hear is a very bad thing to do, what other ways can i use the posix_seteuid() functions and the like. Any help at all will be really appreciated. There is an example in the contributed notes on the site under the posix_setuid. Baically it is a perl script that is ran in cgi mode that is setuid'd. then opens a php script that runs the setuid script. I dont see why, if you choose this method is to just bypass the perl cgi and just make your php cgi setuid. I'm not sure of any security issues in doing that but it seems better than running your whole apache server as root. Curt -- I used to think I was indecisive, but now I'm not so sure. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php