Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

Re: Re: (newrisedesigns) permissions and apache

by cidaris (Friar)
on Jul 31, 2002 at 14:43 UTC ( #186505=note: print w/replies, xml ) Need Help??

in reply to Re: (newrisedesigns) permissions and apache
in thread permissions and apache

Perhaps some elaboration...
Currently, the website updates itself every night at midnight thru cron. My site isn't just a "hi, I'm cidaris, this is a 3MB bmp of my dog".
Every day, there is between 30 and 100 new pieces of content to add, and the HTML must be generated for it.
Think of a high-end porn site, without the pictures. Stock photo kind of stuff.
Lots of content, fairly organizational.
Lately, I've been aching for some customization. I built a MySQL database to house all the variable info, like table schemes, color schemes, individual images, applicable holidays, etc.
I know this is just screaming "use a templating system!" but I didn't.
The program is done, I just want to run it from the web now, instead of in cron.
I want my admins to be able to go to a page, specify with radio buttons all the options they want, and click 'Go' and the program builds them a site.
So, as is, a script which people call from the web lets them select all these options, change info, update the database, etc.
Once they hit submit on the final "OK, we're all done" page, it calls the site generation program with a single argument, the primary key for the appropriate database table.

The problem is that since the generator program is writing pages in the /htdocs/ folder, it must have better permissions than 'nobody'.
But since Apache (which I've set to run as 'nobody' in accordance with nearly every security discussion agrees on) calls it, it now has 'nobody' permissions and hence, cannot write to htdocs.

I have looked into sudo, and it's looking like that may be the solution. Originally, someone pointed me to CGIWrap, but it's documentation is somewhat sparse.

So, like all (s/wise/lazy/) men, I thought to inquire before I embarked on some large, 3rd party-heavy solution.

Hopefully, I can find some answers.
  • Comment on Re: Re: (newrisedesigns) permissions and apache

Replies are listed 'Best First'.
An update: permissions and apache
by cidaris (Friar) on Jul 31, 2002 at 21:10 UTC
    OK, I've made significant progress with a lot of reading.
    I have learned more than I wanted to know about the whole setuid issue, and have written a C++ wrapper to call the script and pass the command-line issues. I then gave the C++ program more appropriate access permissions.
    I then went through and did all the necessary sanity-checking and untainting of the various data.
    I then got to my favorite part of any coding process, debugging!
    After several failed attempts, I got
    "su -c './perl_run Build' nobody"
    to work correctly.
    Thinking I was all but done, I included the system call to the script my $results = system("/usr/local/bin/perl/perl_run", $directive); in my CGI program. Before untainting, I would get -1 for results, which I expected, as it didn't work at that time.

    However, now I'm getting 256 (which I believe is actually '1' for success) but here's the catch:
    The program isn't running, the site isn't changing, and I'm about to call it quits in favor of a few tall mugs of Newcastle.

    Any thoughts?

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://186505]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (5)
As of 2023-03-28 18:59 GMT
Find Nodes?
    Voting Booth?
    Which type of climate do you prefer to live in?

    Results (68 votes). Check out past polls.