Apache write permission issues to another user owned directory
Hi
I am trying to make a web program which is command line equivalent. i have done the coding in cgi program in perl and html for basic forms to take inputs. when i ran the program from web application i see permission denied messages. after analyzing i found apache is running as wwwrun which does not have access to /mydirectory
/mydirectory is owned by user "prd", i changed /etc/apache2/uid.conf as below and restarted apache and everything works perfect
My concern - Executing apache process as prd which is sudo user is smelling fishy and alternately i dont want to add wwwrun to prd group giving access to all wwwrun process
Any recommendations is highly appreciated - thank you
I need to find all the files that have group Read or Write permission or files that have user write permission.
This is what I have so far:
find . -exec ls -l {} \; | awk '/-...rw..w./ {print $1 " " $3 " " $4 " " $9}'
It shows me all files where group read = true, group write = true... (5 Replies)
Hi,
The requirement is like,
the program needs 2 argument one is user_id and second one is directory path. My script will check if that user_id has write access to the directory path. The directory path may be in any file system like AFS or NFS.
Can any one please suggest some points to... (1 Reply)
is is possible to grant user access to only one subdirectory? example
a. create ftp user with read/write/delete access (ftp user doesnt belong to uguys group)
$ cd /etc/mydir
$ls
file1 file2
$ls -al
-rw-rw-r-x 2 unixguy uguys 96 Dec 8 12:53 file1
-rw-rw-r-x 2 unixguy uguys 96 Dec 8... (1 Reply)
I've tried to figure this out.
I'm only about 6 mos into my AIX admin duties, but I've got a "security" problem I can't figure out.
I've created a sub directory as follows:
drwx------ 2 root system 256 Apr 13 16:02 mike
I've logged in another session with the following user:
$ id... (2 Replies)
Guys, i wanna get any user files with write permission (on user or group permission) for review but i confuse with -perm parameter.
any body can help me to explain what is that mean?
thank's (1 Reply)
In our project we have several unix scripts that trigger different processes. These scripts write logs to a particular folder 'sesslogs', create output data files in a separate directory called 'datafiles' etc. Usually L1 support team re-run these scripts . We donot want L1 support team to have... (14 Replies)
Hi All,
We have a scenario in production where we want only one user from a group to modify the file. The file is not set to write permission for application manager.
-r--r--r-- 1 amgr u00 15661716 Aug 30 00:06 DCI.dat
So here amgr will have permission to edit the file. We want a... (10 Replies)
logMsg='Started by '${USER}
LOG_MESSAGE "${logMsg}"
resultCode=$?
if ]; then
return ${resultCode}
fi
touch ${FILELISTPATH}
resultCode=$?
if ]; then
logMsg='failed to create file list:'${FILELISTPATH}
LOG_ERROR "${logMsg}" CUSTOM_PREPROCESS ${FATAL}
... (2 Replies)
I have built a website and I can access and edit the website'files on server via the root user. The current file and directory structures are not changeable. Now I am hiring a webpage designer to help me re-design some pages, I am going to let the designer edit the files directly on the server. So... (5 Replies)
Discussion started by: uwo-g-xw
5 Replies
LEARN ABOUT DEBIAN
gsexec
GSEXEC(8) GridSite Manual GSEXEC(8)NAME
gsexec - Switch user before executing external programs
SYNOPSIS
gsexec [-V]
SUMMARY
gsexec is used by the Apache HTTP Server to switch to another user before executing CGI programs. In order to achieve this, it must run as
root. Since the HTTP daemon normally doesn't run as root, the gsexec executable needs the setuid bit set and must be owned by root. It
should never be writable for any other person than root.
gsexec is based on Apache's suexec, and its behaviour is controlled with the Apache configuration file directives GridSiteExecMethod and
GridSiteUserGroup added to Apache by mod_gridsite(8) Four execution methods are supported: nosetuid, suexec, X509DN and directory, and
these may be set on a per-directory basis within the Apache configuration file.
NOSETUID METHOD
This is the default behaviour, but can also be produced by giving GridSiteExecMethod nosetuid
CGI programs will then be executed without using gsexec, and will run as the Unix user given by the User and Group Apache directives (nor-
mally apache.apache on Red Hat derived systems.)
SUEXEC METHOD
If GridSiteExecMethod suexec is given for this virtual host or directory, then CGI programs will be executed using the user and group given
by the GridSiteUserGroup user group directive, which may also be set on a per-directory basis (unlike suexec's SuexecUserGroup which is
per-server only.) The CGI program must either be owned by root, the Apache user and group specified at gsexec build-time (normally
apache.apache) or by the user and group given with the GridSiteUserGroup directive.
X509DN METHOD
If GridSiteExecMethod X509DN is given, then the CGI program runs as a pool user, detemined using lock files in the exec mapping directory
chosen as build time of gsexec. The pool user is chosen according to the client's full certificate X.509 DN (ie with any trailing GSI
proxy name components stripped off.) Subsequent requests by the same X.509 identity will be mapped to the same pool user. The CGI program
must either be owned by root, the Apache user and group specified at gsexec build-time (normally apache.apache) or by the pool user
selected.
DIRECTORY METHOD
If GridSiteExecMethod directory is given, then the CGI program runs as a pool user chosen according to the directory in which the CGI is
located: all CGIs in that directory run as the same pool user. The CGI program must either be owned by root, the Apache user and group
specified at gsexec build-time (normally apache.apache) or by the pool user selected.
EXECMAPDIR
The default exec mapping directory is /var/www/execmapdir and this is fixed when the gsexec executable is built. The exec mapping directory
and all of its lock files must be owned and only writable by root. To initialise the lock files, create an empty lock file for each pool
user, with the pool username as the filename (eg user0001, user0002, ...) As the pool users are leased to X.509 identities or directories,
they will become hard linked to lock files with the URL-encoded X.509 DN or full directory path.
You can recycle pool users by removing the corresponding URL-encoded hard link. stat(1) and ls(1) with option -i can be used to print the
inodes of lock files to match up the hard links.
However, you must ensure that all files and processes owned by the pool user are deleted before recycling!
OPTIONS -V If you are root, this option displays the compile options of gsexec. For security reasons all configuration options are changeable
only at compile time.
MORE INFORMATION
For further information about the concepts and the security model of the original Apache suexec please refer to the suexec documentation:
http://httpd.apache.org/docs-2.0/suexec.html
For examples using the gsexec extensions, please see the GridSite gsexec page:
http://www.gridsite.org/wiki/Gsexec
AUTHORS
Apache project, for original suexec
Andrew McNab <Andrew.McNab@manchester.ac.uk> for gsexec modifications.
gsexec is part of GridSite: http://www.gridsite.org/
SEE ALSO httpd(8), suexec(8), mod_gridsite(8)gsexec October 2005 GSEXEC(8)