From time to time someone asks in Cherokee’s mailing list how to run a CGI with a different user than the one running Cherokee.
It’s a problem, because once Cherokee has dropped privileges and it’s being run, let’s say, by www-data user, it can’t run the CGI as a different user because that can be done only by root.
This morning I thought about SUID executables, which using a special bit in the file system, can be executed as a different user without being root. For example:
$ cp /usr/bin/id myid $ sudo chown nobody:nobody myid $ sudo chmod +s nobody:nobody myid $ ./myid uid=500(reidrac) gid=500(reidrac) euid=99(nobody) egid=99(nobody) grupos=11(cdrom),63(audio),500(reidrac) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Thanks to the SUID bit I’m running the id executable using a different user (nobody in this case), and I don’t need to be root.
This can be an obvious security problem, so most UNIX systems doesn’t allow to run SUID scripts.
But anyway, it would be interesting to have a tool that allows a user to run a set of commands as a different user (yes, you got it: SUDO), so I wrote a small tool to do it: suidexec (yes, I know it’s not a great name).
I’ve used GLib to parse a configuration file to provide a simple ACL mechanism, and it can be used as easy as:
- Copy the tool into a different name, for example:
suidexec_cgi. - Setup the file system permissions:
chown nobody:nobody suidexec_cgi && chmod +s suidexec_cgi. - Edit
/etc/suidexec.confto allowwww-datato run yourCGI:[suidexec_cgi] commands = /var/www/cgi/mycgi.pl www-data = true
- Configure Cherokee to run the CGI wrapped in
suidexec:suidexec_cgi /var/www/cgi/mycgi.pl -- extra_argument.
I don’t know if it’s a good idea (kind of reinventing the wheel), but it’s easier to setup than SUDO and may be it’ll be useful for someone.
