From owner-freebsd-questions Fri Jun 8 22: 4:11 2001 Delivered-To: freebsd-questions@freebsd.org Received: from peony.ezo.net (peony.ezo.net [206.102.130.11]) by hub.freebsd.org (Postfix) with ESMTP id DB17C37B401 for ; Fri, 8 Jun 2001 22:04:07 -0700 (PDT) (envelope-from jflowers@ezo.net) Received: from savvyd (c3-1a119.neo.rr.com [24.93.230.119]) by peony.ezo.net (8.11.0.Beta3/8.11.0.Beta3) with SMTP id f5958Vc72079 for ; Sat, 9 Jun 2001 01:08:31 -0400 (EDT) Message-ID: <013d01c0f0a1$95b5e2a0$22b197ce@ezo.net> From: "Jim Flowers" To: Subject: Netsaint External Commands Date: Sat, 9 Jun 2001 01:03:54 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG The Netsaint instructions to enable the use of external commands won't work with FreeBSD due to the use of sgid on the rw directory to enable appending to the netsaint.cmd pipe . The docs say that the sgid bit is ignored on directories and it sure doesn't work. The idea is that the web server runs as user nobody, and user nobody is listed in the /etc/group file as a member of the nscmd group. Both the rw directory and the netsaint.cmd pipe or owned by user netscape with group nscmd so the cmd.cgi script should be able to open the pipe for writing. Not so. Ignoring the sgid bit and by trial and error, the directory must have o+x and the file must have o+rw permissions or nothing happens. The cgi script just refuses to open the pipe. [ fopen(command_file,"w+") ] I can understand the directory x bit having to be set or the calling program wouldn't be able to find the file. I don't understand why the group permissions don't allow the append. Shouldn't this work because 'nobody' is a member of the nscmd group? Rather than leave things this way, I set g+x on the directory, the pipe is created by Netsaint with g+rw and changed the group on the cmd.cgi program to nscmd with the sgid bit set. Does this make sense and does it represent a security problem? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message