On 5 March 2012 08:06, Steve Swift <[email protected]> wrote: > This certainly sounds like a situation for SUEXEC. > > However, if you need the apache server to assign files to arbitrary > user:group then there are two ways that I know of: > > 1. You could create a SUDO entry which allows apache to use the > chown/chgrp command AS root > > This did the trick
> > 1. You could create a program to issue the chown/chgrp commands and > use the SETUID bit so that it executes as root. > > Somehow, this failed to work, no matter what I tried. Although the simple shell script did work when invoked from the command line, it never worked when invoked with (Perl) system( "/name/of/script $usr:$grp $path" ) Thank you! Wolfgang > > > In the first case, the SUDO entry should be restricted to your apache ID > In the second case, the process is controlled by a program that you > control, so you can add any security that you wish. I'd start by having the > program verify that it is, indeed, running under the apache userid, > whatever that is in your case. > > On 4 March 2012 21:57, Mark Montague <[email protected]> wrote: > >> On March 4, 2012 12:33 , Wolfgang Laun <[email protected]> wrote: >> >>> A CGI script creates a file; it should also change it's "natural" owner >>> and group (daemon.daemon) to the one of the (authenticated) requesting >>> user. Several users should be able to do that. Having read the Apache 2.4 >>> documentation on Suexec I have the impression that this isn't possible at >>> all. Is this correct or did I miss something? >>> >> >> Only root can change the owner of a file. So if a CGI needs to change >> the owner of a file that it creates, the CGI would have to be run as root >> (very dangerous, do not do this) or it would have to use a set-uid helper >> script to change the owner. Suexec cannot change the owner of a file >> created by a CGI, because it will not know what files the CGI creates. >> >> I think what you want is to run the CGI as the user who is authenticated. >> Then any files created by the CGI will be owned by the user who is >> authenticated. Does this sound right? >> >> For more information, see https://wiki.apache.org/httpd/** >> PrivilegeSeparation <https://wiki.apache.org/httpd/PrivilegeSeparation> >> >> -- >> Mark Montague >> [email protected] >> >> >> ------------------------------**------------------------------**--------- >> To unsubscribe, e-mail: >> users-unsubscribe@httpd.**apache.org<[email protected]> >> For additional commands, e-mail: [email protected] >> >> > > > -- > Steve Swift > http://www.swiftys.org.uk >
