Question about c wrapper for a python cgi project.
Steve Holden
sholden at holdenweb.com
Tue Sep 18 08:58:39 EDT 2001
More information about the Python-list mailing list
Tue Sep 18 08:58:39 EDT 2001
- Previous message (by thread): Question about c wrapper for a python cgi project.
- Next message (by thread): Small program trouble WAS Re: Small proram troble
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"Ignacio Vazquez-Abrams" <ignacio at openservices.net> wrote in message news:mailman.999568444.32037.python-list at python.org... > On Mon, 3 Sep 2001, Ignacio Vazquez-Abrams wrote: > > > On Mon, 3 Sep 2001, Wayne Ringling wrote: > > > > > I have been researching a way to somehow run a script in a c wrapper as > > > root. I have created a python script to alter the password and shadow files > > > to add,delete,change users for an online community project my group is > > > working on. Can someone point me to a reference/how to about how I can do > > > this. I have created a session persistent cookie/database system to monitor > > > state between pages and login/logout. I just need a way to run the script > > > as root securely. Or is that just a pipedream? I would love to entertain > > > any other ideas on how I can do this. > > > > > > Wayne > > > > You said "run as root" and "securely" in the same sentence relating to CGI. > > You're funny! > > > > There is no way to make it entirely secure, but you can start by getting the > > script that changes the password OUT of any directory directly-accesible by > > the web server. Then make a script that verifies EVERYTHING about the > > information (i.e., minimum uid, length of password, etc.) and then, and _only_ > > then, should you call the other script (which has been made suid root, and > > possibly sgid root) to do the changes. > > My bad. Setting scripts suid/sgid doesn't matter because it only works on > executables. > > Take a look at a little program called sudo which allows execution of any > program as root. > Unfortunately the sudo client program required the user to authenticate themselves periodically, so it would seem to be unsuitable for CGI use. It *really* isn't a good idea to be using root-privileged scripts on a web server, although the advice so far is good. Is there a reason why the web system must use the same authentication base as the operating system? If it's all web-based there is bo reason to use the passowrd files to authenticate web users, and then you can move away from root privileges and run your scripts as some user or group with access to the authentication database. regards Steve -- http://www.holdenweb.com/
- Previous message (by thread): Question about c wrapper for a python cgi project.
- Next message (by thread): Small program trouble WAS Re: Small proram troble
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list