From owner-freebsd-questions Thu May 31 0:29:59 2001 Delivered-To: freebsd-questions@freebsd.org Received: from prime.gushi.org (prime.gushi.org [208.23.118.172]) by hub.freebsd.org (Postfix) with ESMTP id 5C9CC37B424 for ; Thu, 31 May 2001 00:29:55 -0700 (PDT) (envelope-from danm@prime.gushi.org) Received: from localhost (danm@localhost) by prime.gushi.org (8.11.3/8.11.3) with ESMTP id f4V7V4870439; Thu, 31 May 2001 03:31:04 -0400 (EDT) Date: Thu, 31 May 2001 03:31:02 -0400 (EDT) From: "Dan Mahoney, System Admin" To: Mark Sergeant Cc: questions@FreeBSD.ORG Subject: Re: Setuid Shell/Perl scripts In-Reply-To: <200105310720.f4V7K9V36772@xyzzy.intranet.snsonline.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 31 May 2001, Mark Sergeant wrote: > Why not configure sudo so you can run command as user (nobody whatever web serv > er runs as) without requiring a password. Lessee, I give the webserver access to "kill" as root...unrestricted, so that a user can upload a cgi that does 'kill -9 1'... Although I assume the more sensible approach would probably be to write give the webserver access to the "restart radius" command (which is really just a shell script that finds the PIDs and HUPs them). But my point is that I'm looking to migrate things more or less seamlessly. We're upgrading freeBSD for binary compatibility with some software that's not available in source form, I'd rather just upgrade, deal with fixing sendmail and whatever moves, instead of fixing everything that will break that worked fine (and relatively securely) before. -Dan > > > On Thu, 31 May 2001 03:12:01 -0400 (EDT), Dan Mahoney, System Admin said: > > :: I've noticed that recently FreeBSD made it so that setuid shell and perl > :: scripts no longer work, and while I can compile a wrapper for some of the > :: applications, I'd like to know if there's any way to turn this > :: "feature" back off. I'm planning to upgrade my servers from 3.2-R to > :: 4.3-R, and the systems are secure (no users have shell access, other than > :: admins), but a lot of the web scripting relies on setuid scripts (for > :: example, scripts that allow our users to modify our radius entries, or our > :: web-editor, or even our change-your-password-via-the-web interface). > :: > :: Thanks in Advance, please CC any messages regarding this to me, I'm not > :: subscribed. > :: > :: -Dan Mahoney > :: > :: -- > :: > :: "Happy, Sad, Happy, Sad, Happy, Sad, Happy, Intruiged! I've never been so > :: in touch with my emotions!" > :: > :: -AndrAIa as Hexadecimal, Reboot Episode 3.2.3 > :: > :: --------Dan Mahoney-------- > :: Techie, Sysadmin, WebGeek > :: Gushi on efnet/undernet IRC > :: ICQ: 13735144 AIM: LarpGM > :: Web: http://prime.gushi.org > :: finger danm@prime.gushi.org > :: for pgp public key and tel# > :: --------------------------- > :: > :: > :: > :: To Unsubscribe: send mail to majordomo@FreeBSD.org > :: with "unsubscribe freebsd-questions" in the body of the message > :: > :: > > -- "She's been getting attacked by these leeches, they're leaving these marks all over her neck. You gotta keep her out of those woods. If one more leech gets her, she's gonna get a smack." -Someone's Mother, December 18th, 1998 --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Web: http://prime.gushi.org finger danm@prime.gushi.org for pgp public key and tel# --------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message