|
|
Sponsored Content
Special Forums
Cybersecurity
Run CGI As User..?
Post 7713 by solvman on Monday 1st of October 2001 01:51:09 AM
10-01-2001
CGI reply
Hi,
If your CGI scripts dont have any security holes (you have to check this first). Then just give execute access to all(everybody). It should work. You might also check with read access. But i'm not sure is it secure or not.
Good luck.
If your CGI scripts dont have any security holes (you have to check this first). Then just give execute access to all(everybody). It should work. You might also check with read access. But i'm not sure is it secure or not.
Good luck.
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Advanced & Expert Users
Hello All (yes I mean you):
I'm a self taught programmer, so please bear with me and my ignorance.
What I Am Trying To Do:
I am attempting to create a user (and all the accompanying attributes like a home directory, entry in the passwd file, disk quota allotment and skel selection for a... (1 Reply)
Discussion started by: gfoxjr
1 Replies
2. UNIX for Dummies Questions & Answers
Hi,
I'm developing a system which requires me to run a ksh script from within a cgi script. What sort of syntax will I need to do this, I'm sure it's simple but can't find out how anywhere!
Thanks. (2 Replies)
Discussion started by: hodges
2 Replies
3. Shell Programming and Scripting
All,
I would like to run a cgi script in cygwin which i have installed in WinXP.
My CYGWIN directory structure is
/var/www/
drwxrwx---+ 2 user Users 0 Nov 23 16:24 cgi-bin
drwxrwx---+ 3 user Users 0 Oct 22 17:21 htdocs
drwxrwx---+ 3 user Users 0 Oct 22 17:22 icons
and another... (1 Reply)
Discussion started by: jambesh
1 Replies
4. Web Development
Hi,
I am trying to create a web interface with Perl CGI with 2 pages. The content of these pages is dependent on the user accessing it. Thus, I need some kind of authentication to identify WHO is logging in but I DO NOT WANT to be restricting the pages to a few.
What is the best way to prompt... (8 Replies)
Discussion started by: garric
8 Replies
5. Shell Programming and Scripting
Hi guys,
got a problem with a perl cgi script over here. I need it to run a system command to get the status of a process. Unfortunately the process is owned by a specific user and only this user can get its status. So i tried running the command from the perl cgi with "su", but then i get the... (12 Replies)
Discussion started by: polki
12 Replies
6. Homework & Coursework Questions
Use and complete the template provided. The entire template must be completed. If you don't, your post may be deleted!
1. The problem statement, all variables and given/known data:
This is a problem I am having with my 2 semester senior project. I have a LAMP server running Ubuntu 9.10 with... (8 Replies)
Discussion started by: JMooney5115
8 Replies
7. Shell Programming and Scripting
Hi
I am Run Perl CGI Script. In which i am running SCP Command. But I want that command to be run into background and exit the script. But Still Web page waiting for Finish the script.
I m doing like :
system ("scp -r machinename:/path/to/file/for/copy/ /path/for/ destination/directory/ &");... (3 Replies)
Discussion started by: Navrattan Bansa
3 Replies
8. UNIX for Beginners Questions & Answers
Hi
I have written a script and I want it to be run from web with the help of CGI. can you please guide me .
below script is working fine if run from backend but not sure how I should run through web.
#!/bin/bash
string1=look
string2=0
string3=.sdn.dnb
echo -n "enter... (3 Replies)
Discussion started by: scriptor
3 Replies
9. Shell Programming and Scripting
Hi everyone,
I want to kill process through the web, so I create html page with single bottom that run kill command in shell script with CGI.
Here is html code:
<td><form METHOD="GET" action="http://IP:port/cgi_bin/script.cgi" > <input type="submit" value= "Submit" > <INPUT name="q"... (7 Replies)
Discussion started by: indeed_1
7 Replies
10. UNIX for Beginners Questions & Answers
Hello,
I want to run this script on my CentOS 6 via browser :
________________________________________________________________________________________________
#!/bin/sh
echo Username?
read MY_NAME
echo Provisional file name?
read MY_FILE
echo File NAME you want to save?
read MY_FILE2... (16 Replies)
Discussion started by: juta2020
16 Replies
LEARN ABOUT OPENSOLARIS
httpd_selinux
httpd_selinux(8) httpd Selinux Policy documentation httpd_selinux(8) NAME
httpd_selinux - Security Enhanced Linux Policy for the httpd daemon DESCRIPTION
Security-Enhanced Linux secures the httpd server via flexible mandatory access control. FILE_CONTEXTS SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files. SELinux httpd policy is very flexible allowing users to setup their web services in as secure a method as possible. The following file contexts types are defined for httpd: httpd_sys_content_t - Set files with httpd_sys_content_t if you want httpd_sys_script_exec_t scripts and the daemon to read the file, and disallow other non sys scripts from access. httpd_sys_script_exec_t - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types. httpd_sys_content_rw_t - Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts and the daemon to read/write the data, and disallow other non sys scripts from access. httpd_sys_content_ra_t - Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts and the daemon to read/append to the file, and disallow other non sys scripts from access. httpd_unconfined_script_exec_t - Set cgi scripts with httpd_unconfined_script_exec_t to allow them to run without any SELinux protection. This should only be used for a very complex httpd scripts, after exhausting all other options. It is better to use this script rather than turning off SELinux protection for httpd. NOTE
With certain policies you can define additional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts. SHARING FILES
If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and pub- lic_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the pub- lic_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute: setsebool -P allow_httpd_anon_write=1 or setsebool -P allow_httpd_sys_script_anon_write=1 BOOLEANS
SELinux policy is customizable based on least access required. SELinux can be setup to prevent certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possi- ble. httpd can be setup to allow cgi scripts to be executed, set httpd_enable_cgi to allow this setsebool -P httpd_enable_cgi 1 SELinux policy for httpd can be setup to not allowed to access users home directories. If you want to allow access to users home directo- ries you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir. setsebool -P httpd_enable_homedirs 1 chcon -R -t httpd_sys_content_t ~user/public_html SELinux policy for httpd can be setup to not allow access to the controlling terminal. In most cases this is preferred, because an intruder might be able to use the access to the terminal to gain privileges. But in certain situations httpd needs to prompt for a password to open a certificate file, in these cases, terminal access is required. Set the httpd_tty_comm boolean to allow terminal access. setsebool -P httpd_tty_comm 1 httpd can be configured to not differentiate file controls based on context, i.e. all files labeled as httpd context can be read/write/exe- cute. Setting this boolean to false allows you to setup the security policy such that one httpd service can not interfere with another. setsebool -P httpd_unified 0 SELinu policy for httpd can be configured to turn on sending email. This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack. I certain situations, you may want http modules to send mail. You can turn on the httpd_send_mail bool- ean. setsebool -P httpd_can_sendmail 1 httpd can be configured to turn off internal scripting (PHP). PHP and other loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts. setsebool -P httpd_builtin_scripting 0 SELinux policy can be setup such that httpd scripts are not allowed to connect out to the network. This would prevent a hacker from break- ing into you httpd server and attacking other machines. If you need scripts to be able to connect you can set the httpd_can_network_con- nect boolean on. setsebool -P httpd_can_network_connect 1 system-config-selinux is a GUI tool available to customize SELinux policy settings. AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>. SEE ALSO
selinux(8), httpd(8), chcon(1), setsebool(8) dwalsh@redhat.com 17 Jan 2005 httpd_selinux(8)