[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Exim and right permissions for execution of a perl script



On Thu, 2002-08-22 at 10:27, Brian Candler wrote:
> On Thu, Aug 22, 2002 at 09:22:47AM +0300, Patrick J Okui wrote:
> > yep.. the lack of the +x was a typho... (nothing a good night's sleep
> > and a glass of milk couldn't cure :-) )... the sig13 was because the
> > script would die early when it tried to access any directory below
> > db_suite!
> 
> OK, that's a good start. All you need to do is find out exactly what uid/gid
> the scripts is actually being run as, to find out why it dies.

fixed with a find /home/pokui/db_suite -type d -exec chmod g+rx '{}' ';'

<snip>
> 
> I have a couple of suggestions you can try:
> 
> (1) Set up a separate aliases file for this purpose, with a separate router
> in exim, and use the 'user=' and 'group=' settings to set the permissions
> appropriately (in which case, you can run it as user or group 'bind')
> 
> (2) Use a C wrapper to start your program. Take the attached file, modify it
> as appropriate, compile using
>      gcc -Wall -o wrapper wrapper.c
> Then you can make it suid bind and invoke it from your aliases file.
> 
> I haven't looked at what 'suidperl' can do, but a simple wrapper like this
> is a pretty clean and safe way to do what you want. The downside is you have
> to modify and recompile the wrapper for each different app you want to run
> in this way.
> 
> Regards,

I guess I'll do (1) since I do not expect to run any other script on
this server do do anything *other* than DNS (the server is dedicated)..
rather than IO with c and then with perl for each message and each
script...

Thanks,
Patrick.
> 
> Brian.
> ----
> 
>wrapper.c:
> #include <sys/types.h>
> #include <unistd.h>
> 
> int main(void)
> {
> 	char *ENV[] = {
> 		"PATH=/bin:/usr/bin",
> 		"HOME=/var/tmp",
> 		NULL
> 	};
> 
> 	setgid(getegid());  /* copy effective ugid to real ugid */
> 	setuid(geteuid());
> 	chdir("/var/tmp");
> 	return execle("/usr/local/bin/testme","testme","arg1","arg2", NULL, ENV);
> }
> ----
> 
>testme:
> #!/bin/sh
> 
> id
> echo "args: $ at "
> echo "env:"
> set
-- 
Patrick J Okui
Systems Administrator
One2Net (U) Ltd


-----
This is the afnog mailing list, managed by Majordomo 1.94.5

To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is maintained by owner-afnog at afnog.org