Belaboring a point

Simon_Thornington · September 4, 2001, 8:37pm

Sorry if this is a repeat, I can’t seem to find whether I sent this
already.

We have Apache running as nobody, the kernel has suid shell scripting
disabled, and I have built a version of perl that has suidperl/suid
emulation enabled. However, the only way I can get this all to work with
mod_perl is to have the server running as the rt user. Is there any way
to have the server running as nobody, and the mod_perl stuff to have suit
rt for the scripting? (I don’t think there is, I just want to make sure)

Also, as a corollary, anyone have an example of the apache config for a
WebRT running is a plain-jane suidperl CGI script and/or a suEXEC CGI
script?

Thanks,

Simon.

Vivek_Khera · September 4, 2001, 8:52pm

“ST” == Simon Thornington thorns@openface.ca writes:

ST> emulation enabled. However, the only way I can get this all to work with
ST> mod_perl is to have the server running as the rt user. Is there any way
ST> to have the server running as nobody, and the mod_perl stuff to have suit

Why do you think this? What error are you getting that says it needs
to be owned by rt to run the web interface?

Vivek Khera, Ph.D. Khera Communications, Inc.
Internet: khera@kciLink.com Rockville, MD +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/

Simon_Thornington · September 4, 2001, 9:02pm

Well, the first error I get is that it can’t write/create the log file in
the rt:rt-owned log directory I’ve created (/usr/local/rt/log)

drwxrwxr-x 2 rt rt 512 Sep 4 15:22 log

I have been able to get further by chowning the log dir to nobody etc, but
problems will still crop up. (Next in the WebRT sessions directory, and
so on and so on.)

I’m sort of fundamentally unsure how perl scripts interpreted inside
mod_perl inside an httpd running as nobody could promote themselves to
another user in the first place, since there is no forking of suid CGI
scripts involved, but perhaps I’m missing something.

Cheers,

Simon.On Tue, 4 Sep 2001, Vivek Khera wrote:

“ST” == Simon Thornington thorns@openface.ca writes:

ST> emulation enabled. However, the only way I can get this all to work with
ST> mod_perl is to have the server running as the rt user. Is there any way
ST> to have the server running as nobody, and the mod_perl stuff to have suit

Why do you think this? What error are you getting that says it needs
to be owned by rt to run the web interface?

–
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D. Khera Communications, Inc.
Internet: khera@kciLink.com Rockville, MD +1-240-453-8497
AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Vivek_Khera · September 4, 2001, 9:18pm

“ST” == Simon Thornington thorns@openface.ca writes:

ST> I’m sort of fundamentally unsure how perl scripts interpreted inside
ST> mod_perl inside an httpd running as nobody could promote themselves to
ST> another user in the first place, since there is no forking of suid CGI
ST> scripts involved, but perhaps I’m missing something.

Thay can’t.

You need to make sure that the directories RT wants to write to are
writable by the owner of the httpd process. You can do this with file
ownerships or permissions, depending on your needs.

Simon_Thornington · September 4, 2001, 9:25pm

Thay can’t.

You need to make sure that the directories RT wants to write to are
writable by the owner of the httpd process. You can do this with file
ownerships or permissions, depending on your needs.

Ok, that makes sense. So the solution is either to have the plaintext
rt database user’s password in plaintext for nobody, or run the server and
own the files as another user. I looked, but I can’t see that
DBD-postgresql supports the Pg crypted password mode; do you know if this
is implemented?

Cheers,

Simon.

Vivek_Khera · September 4, 2001, 9:39pm

“ST” == Simon Thornington thorns@openface.ca writes:

ST> Ok, that makes sense. So the solution is either to have the plaintext
ST> rt database user’s password in plaintext for nobody, or run the server and
ST> own the files as another user. I looked, but I can’t see that
ST> DBD-postgresql supports the Pg crypted password mode; do you know if this
ST> is implemented?

Personally, I run a separate instance of Apache on a different port to
keep the main server from bloating too much. I limit it to 5
concurrent processes that handle just a few hundred requests each.
That’s sufficient for our WebRT usage.