Home > Archive > PERL CGI Beginners > December 2004 > suEXEC or something like it
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
suEXEC or something like it
|
|
| Jeff Herbeck 2004-12-07, 3:55 am |
| Hello,
I am trying to write a set of scripts that will allow multiple users
to log in via one generic login url (htaccess) and once they are in
they can use forms to type in a url of a file on the internet, the
scripts will get that file and put it into their personal webspace on
the local server and make it available via http://servername/username.
I have the login and the $remote_user variable shows their username
that they loged in with. I want them to own their home directory for
security purposes, but if I use getstore, it will only work if the
directory it is saving too is owned by 'www' . I have looked into
suEXEC, but that doesn't seem to fit my needs being that it must be in
a virtual host or a public_html directory. Does anyone have any idea
how I can do this?
| |
| Lawrence Statton 2004-12-07, 3:55 am |
| > Hello,
>
> I am trying to write a set of scripts that will allow multiple users
> to log in via one generic login url (htaccess) and once they are in
> they can use forms to type in a url of a file on the internet, the
> scripts will get that file and put it into their personal webspace on
> the local server and make it available via http://servername/username.
> I have the login and the $remote_user variable shows their username
> that they loged in with. I want them to own their home directory for
> security purposes, but if I use getstore, it will only work if the
> directory it is saving too is owned by 'www' . I have looked into
> suEXEC, but that doesn't seem to fit my needs being that it must be in
> a virtual host or a public_html directory. Does anyone have any idea
> how I can do this?
>
First easiest solution: Have you tried playing with groups? Have the
per-user directories owned by the same group that the webserver runs
as ( I run my apache as apache:apache ) and chmod 664 ...
Before doing that - run a test LWP program to see if getstore checks
permissions on the target directory itself, or relies on the
underlying filesystem calls to fail?
Second much more complex, sexy, all-singing/all-dancing solution:
Rather than give apache permission to write all over (even parts of)
the filesystem, delegate that task to some OTHER script. (This is
just my personal bias: Any time the webserver has to create a file
somewhere in the file system, I feel I have inadequately designed my
data.)
The CGI program creates a file (or database, if that is your nature)
with a list of files awaiting transfer. Some OTHER (smaller, more
easily provable correct) process, owned by a more powerful user (or
belonging to a more powerful group) actually does the heavy lifting
with getstore().
Doing it with files (and locking) is Educational, but painful to
test/debug. Doing it with a database is easier, *IF* you already have
climbed the anthill of setting up a database on the machine.
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Lawrence Statton - lawrenabae@abaluon.abaom s/aba/c/g
Computer software consists of only two components: ones and
zeros, in roughly equal proportions. All that is required is to
sort them into the correct order.
| |
| Lawrence Statton 2004-12-07, 3:55 am |
| >
> First easiest solution: Have you tried playing with groups? Have the
> per-user directories owned by the same group that the webserver runs
> as ( I run my apache as apache:apache ) and chmod 664 ...
>
> Before doing that - run a test LWP program to see if getstore checks
> permissions on the target directory itself, or relies on the
> underlying filesystem calls to fail?
Yeah -- I think groups is the easiest way to do it ... here's how I tested.
1) Create a new user and group to hold the test program
# useradd -g testuser -c'Test User' .... testuser
2) Create a directory to simulate the per-user directory
# mkdir -p /tmp/users/homer
3) set permissions and ownership on that test directory
# chown homer:testuser /tmp/users/homer
# chmod 775 /tmp/users/homer
(Note I made a mistake in my earlier email .. 664 is a Bad Idea for
directories .. my bad))
4) Become testuser
# su testuser
% whoami
testuser
% groups
testuser
% perl /tmp/getstore.pl
200 at getstore.pl line 11.
5) Celebrate success!
.......................... BEGIN PERL PROGRAM ...........................
#!/usr/bin/perl
use strict;
use warnings;
use LWP::Simple;
use constant URL => 'http://cluon.com/lawrence/index.en.html';
use constant FILE => '/tmp/users/homer/index.html';
warn getstore( URL, FILE ) || die "Could not get the file";
........................... END PERL PROGRAM ............................
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Lawrence Statton - lawrenabae@abaluon.abaom s/aba/c/g
Computer software consists of only two components: ones and
zeros, in roughly equal proportions. All that is required is to
sort them into the correct order.
|
|
|
|
|