Re: [cgiwrap-users] UID from file
Brought to you by:
nneul
Menu
▾
▴
Re: [cgiwrap-users] UID from file
|
From: Piotr K. <ma...@ma...> - 2002-04-03 10:54:09
|
On Thu, Mar 28, 2002 at 07:10:44AM -0600, Nathan Neulinger wrote: > Daniel Lorch wrote: > > In particular it's the way how cgiwrap extracts the username under > > which the script will be executed. A friend just told me he had > > patched cgiwrap to extract the username from the file owner. > > > > So, what's exactly wrong with this? A user cannot chown a file to > > another user and configuration would be extremely faciliated. > > Many platforms do allow giveaway chown. A while ago Daniel pointed me to the page http://steven.haryan.to/mod_cgiwrap/mod_cgiwrap.html where is a patch for cgiwrap (mod_cgiwrap) that includes --with-docroot-mode and --with-docroot-owner options. At the above page there is also short patch for empty PATH_INFO env. variable. You may consider looking at this patch in the free time. I do not know if it is necessary, but there are problems with this env. variable under php (though I cann't describe it deeper now). Below is the description of the mentioned options extracted from the patch: +Added --with-docroot-mode configure option. + +Added --with-docroot-owner configure option. + +If docroot mode is active, instead of looking for a cgi dir under user's +home directory, cgiwrap will instead look at the DOCUMENT_ROOT variable and +make that the cgi base directory. + +If docroot owner is active, instead of honoring the /username/ part of +PATH_INFO, cgiwrap will instead use the ownership settings of the document +root. You can put any string in the /username/ part in PATH_INFO since it +will be ignored. + +Both these options are suitable for virtual hosting (well, at least make it +more convenient on the configuration side). This is not what Daniel want - it extracts user from the directory, not the script itself. That behaviour could help creating virtual server directories outside of the user home dir, or create several virtual server configurations under the same user home directory. [...] if the new apache 2.0 would have working perchild MPM, then cgiwrap would be unnecessary for virtual hosts... but it is in beta stage for now. > > But it *must* be something wrong with it, otherwise cgiwrap would > > work like this by default, right? Is it more error-prone? > > It's a multi-level protection. First, files have to be in particular > user's dir, and they have to be owned by that user, and they have to > have appropriate permissions, etc. I agree that this is safer to check the owner of the script ... sometimes I copied cgi/php scripts between different directories as root (then with root or source script permissions). Regards, -- Piotr Klaban |
