[BlueOnyx:11446] Re: Need CGI script to execute command as root

[Michael Stauber]

Hi David,

> I had a web form and CGI script on the RaQ4 that I used to make file
> downloads available to customers via a special URL. The files exist 
> outside of the /home/sites tree and the CGI script worked by creating a 
> symbolic link in the web space pointing back to the actual file outside of 
> the web space.
> 
> This script ran as root on the RaQ4 because it needed to use the "symlink" 
> and "unlink" commands to do its thing. The html form and the CGI script 
> were placed inside the admserv space, so one needed to use the server 
> admin user and password to actually get to the form. This was fine because 
> I am the server admin and it kept everyone else out.
> 
> What's the best way to reproduce this behaviour on the BX server?

Usually the AdmServ won't run CGI scripts, because it doesn't need to.
The web accessible GUI pages are all in PHP or plain HTML.

If you copy /etc/httpd/conf.d/perl.conf to /etc/admserv/conf.d/ and
restart AdmServ, it'll execute Perl scripts. But the scripts from the
RaQ4 might still not work, because it could be that they require RaQ4
specific libraries which BlueOnyx doesn't have.

All in all I would forget about running Perl scripts with SUID just for
providing downloads. It's a security risk that could be solved in
different ways without tearing potential security holes into the box.

A regular .htaccess protection and enabling permissions to follow
symlinks for said directory could also solve the trick. It all depends
on what kind of files you want people to be able to download.

Even if you forget about symlinks, you could set up a cronjob that
copies the files into the /web tree into a password protected directory
and also could use that script to fix ownerships and permissions.

Password protected or not: All of this ought to be more desirable than
SUID stuff. Just saying ....

-- 
With best regards

Michael Stauber