[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Exim and right permissions for execution of a perl script
On Thu, 2002-08-22 at 10:27, Brian Candler wrote:
> On Thu, Aug 22, 2002 at 09:22:47AM +0300, Patrick J Okui wrote:
> > yep.. the lack of the +x was a typho... (nothing a good night's sleep
> > and a glass of milk couldn't cure :-) )... the sig13 was because the
> > script would die early when it tried to access any directory below
> > db_suite!
>
> OK, that's a good start. All you need to do is find out exactly what uid/gid
> the scripts is actually being run as, to find out why it dies.
fixed with a find /home/pokui/db_suite -type d -exec chmod g+rx '{}' ';'
<snip>
>
> I have a couple of suggestions you can try:
>
> (1) Set up a separate aliases file for this purpose, with a separate router
> in exim, and use the 'user=' and 'group=' settings to set the permissions
> appropriately (in which case, you can run it as user or group 'bind')
>
> (2) Use a C wrapper to start your program. Take the attached file, modify it
> as appropriate, compile using
> gcc -Wall -o wrapper wrapper.c
> Then you can make it suid bind and invoke it from your aliases file.
>
> I haven't looked at what 'suidperl' can do, but a simple wrapper like this
> is a pretty clean and safe way to do what you want. The downside is you have
> to modify and recompile the wrapper for each different app you want to run
> in this way.
>
> Regards,
I guess I'll do (1) since I do not expect to run any other script on
this server do do anything *other* than DNS (the server is dedicated)..
rather than IO with c and then with perl for each message and each
script...
Thanks,
Patrick.
>
> Brian.
> ----
>
>wrapper.c:
> #include <sys/types.h>
> #include <unistd.h>
>
> int main(void)
> {
> char *ENV[] = {
> "PATH=/bin:/usr/bin",
> "HOME=/var/tmp",
> NULL
> };
>
> setgid(getegid()); /* copy effective ugid to real ugid */
> setuid(geteuid());
> chdir("/var/tmp");
> return execle("/usr/local/bin/testme","testme","arg1","arg2", NULL, ENV);
> }
> ----
>
>testme:
> #!/bin/sh
>
> id
> echo "args: $ at "
> echo "env:"
> set
--
Patrick J Okui
Systems Administrator
One2Net (U) Ltd
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org