[WM] WebMake CGI and setuid

Justin Mason jm at jmason.org
Tue Jan 6 23:00:04 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Matt Okeson-Harlow writes:
>a little stumped here...
>
>webmake.cgi will open the the .wmk file, i can browse to the files, edit one, click on save and then:
>
>Warning: This site can only be edited by authenticated users.
>
>am i missing something here?  do you HAVE to use CVS with the webmake.cgi?
>i am authenticating using .htaccess
>up until i hit save, it says i am logged in as the user i auth'ed as.

That error shouldn't be affected by use (or not) of CVS; it appears if
the htaccess user-authentication has not taken place.

Is there a possibility it's going to a URL that is *not* under the
htaccess' "user auth required" realm?

- --j.

>webmake 2.4 
>
>ii  apache         1.3.29.0.1-3   Versatile, high-performance HTTP server
>ii  apache-common  1.3.29.0.1-3   Support files for all Apache webservers
>ii  apache-utils   1.3.29.0.1-3   Utility programs for webservers
>ii  apachetop      0.7-3          Realtime Apache monitoring tool
>ii  libapache-mod- 1.27-4         Integration of perl with the Apache web serv
>
>Debian GNU/Linux testing/unstable
>
>This is perl, v5.8.2 built for i386-linux-thread-multi
>
>On Fri, Jan 02, 2004 at 08:02:28PM -0800, Justin Mason wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> 
>> Wes Meltzer writes:
>> > Hey all.
>> > 
>> > I have an interesting question for you: I want to run the WebMake CGI on
>> > my virtual host server (my ISP's system).
>> > 
>> > What do I need to do to get the CGI to be able to actually write files
>> > out? 
>> > 
>> > I've always had trouble on my own computer with this, and have solved
>> > the problem by using 777 permissions on that directory, but that's
>> > because my web server's only running on my laptop when I need it to be
>> > and it can be pretty secure as a result.
>> > 
>> > Should I be running WebMake setuid as the webserver, or something like
>> > that? Do I need to put it in a specific place?
>> 
>> Hi Wes --
>> 
>> I generally make sure that the files and directories webmake will be 
>> writing to, are writable by the user it will run as, and that the
>> files and dirs it's reading are readable by same.
>> 
>> It doesn't really then matter who it runs as ;)
>> 
>> If you edit all the stuff via the CGI, you can just make sure it's
>> writable by *just* the CGI user.  That's easy.
>> 
>> Alternatively, if you want to be able to edit as yourself *and* the CGI
>> user, then making them writable by both users is a better idea; I've made
>> a WM site writable by several users in the past by making both users share
>> a UNIX group, chgrp the existing files and dirs to be owned by that group,
>> and set g+s permissions on the dirs so that new files/dirs use that group.
>> A bit messy though.
>> 
>> Another solution is the "suexec" wrapper that Apache uses, which
>> ensures that CGIs run as your own userid.  Most largeish virtual
>> host providers use this, so that's most likely.
>> 
>> - --j.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.2 (GNU/Linux)
>> Comment: Exmh CVS
>> 
>> iD8DBQE/9j7TQTcbUG5Y7woRAq/ZAJ4klrf9RAV4iQyhqIU1ntSonO7LIQCeIx46
>> 41ZzwoACNh/dujkHOkv0uhs=
>> =tnrz
>> -----END PGP SIGNATURE-----
>> 
>> _______________________________________________
>> Webmake-talk mailing list
>> Webmake-talk at taint.org
>> http://webmake.taint.org/mailman/listinfo/webmake-talk
>
>-- 
>matt okeson-harlow
>mharlow at grephead dot com
>_______________________________________________
>Webmake-talk mailing list
>Webmake-talk at taint.org
>http://webmake.taint.org/mailman/listinfo/webmake-talk
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Exmh CVS

iD8DBQE/+z3hQTcbUG5Y7woRAobvAJsF5G7aWoCKqWWvTPeiZmMXM4soIwCfc6U3
jQMyD58ceUB4bXzNxb6gjYA=
=f6Jw
-----END PGP SIGNATURE-----

More information about the Webmake-talk mailing list