User wrapping (suExec) |
Advanced topics | |
1. Introduction
2. How to do it
1. Introduction
(This is a UNIX only feature).
Depending on how your Web server is setup, you may find
that all the files your scripts write (By using the
saveFile command for example)
are written by someone oddly named 'nobody'. This happens
to CGI scripts, and it's not a problem until you want
to download or upload those files with FTP or you
want to access them with vi.
It is not only annoying, it is also quite dangerous:
other users of the same sever may read, write or even
delete the files your script has written. On top of that
you have to allow your target directory to be written to
by anyone so that 'nobody' can also save the files in there.
That leaves your space open to anyone else having access to the server
to pour tons of data in your space...
This happens because the system administrator has set up
the web server to run as user 'nobody' to minimize security risks.
(I won't elaborate on the pros and cons of that approach)
In other words, when someone on the web fills a form on your
web site, hits [submit] and runs a script, the script is not
run by 'you', but by the web server software acting as user
'nobody'.
The solution to this is to enable user wrapping. You can use things such as CGI-wrap if you want to, but aptilis has a built in mechanism to do the same thing. So that when an aptilis script is run, it runs with the same permissions as it's owner's (yours).
2. How to do it
Setting up aptilis to use the wrapping facility is straightforward,
but you need to have administrator rights to do it. If you don't,
then you'll have to beg him/her to do so. If you are a system administrator
make your mind up when you install aptilis the first time: when users
have thousands of files written by 'nobody', enabling wrapping
will break their scripts, suddenly unable to read the very files
they have written in a former life...
To enable wrapping, the aptilis interpreter should have both
the sUID and the gUID bits set, and it should
belong to user and group 'root'. You do that with the commands:
chown root aptilis.exe chgrp root aptilis.exe chmod 6755 aptilis.exe chown root aptilis-run.exe chgrp root aptilis-run.exe chmod 6755 aptilis-run.exe (The one that runs aptilis p-code) as opposed to: chmod 755 aptilis.exe (to make it a simple executable)Warning: You have to have logged in as root for these to work!
When this has been done, aptilis will run as the user owning the aptilis script. Note that in order to run a script as 'Root', both real user ID and effective user ID AND both real group ID and effective group ID have to be root. In other words, unless your web server is itself running as root -and that's a major security risk, a CGI script can never run as root. To run a script as root you need to do it from the command line having logged in as root.
The way aptilis does things is sure easier to set-up and faster than
CGI-wrap (CGI-wrap is an extra piece of software called by the
web browser. CGI-wrap then calls your script and it's interpreter
with the desired permissions). However, since CGI-wrap is a tad
more fussy on security, you might still want to use it
instead of using the built-in wrapping in aptilis. This is Okay,
just remember to not set the sUID and the gUID bits on the aptilis
file permissions.