SELinux vs BackupPC web interface
Les Mikesell
lesmikesell at gmail.com
Sun Nov 18 21:46:12 UTC 2007
John Summerfield wrote:
>
>>> I take it the script begins
>>> #!/usr/bin/sperl
>>>
>>> Change it to
>>> #!/usr/bin/perl
>>> and see what you see.
>>>
>>
>> No, it begins #!/usr/bin/perl
>> but it needs to run suid to access the backups.
>> [~] 11) l -lZ /var/www/cgi-bin/BackupPC/
>> -rwsr-x--- backuppc apache system_u:object_r:httpd_sys_script_exec_t:s0
>> BackupPC_Admin*
>>
>
> I think your phrase "fix properly" meas you need to learn how to write a
> local policy to allow it.
>
>
>> This same script worked in FC6.
>
> There's been some tension (to my mind at least) between Linux[1] (setuid
> is ignored with scripts)
It is ignored in shell scripts because Linux does not provide the
capability of running them securely (i.e. noticing the setuid status is
not atomic with the file open so you have a race condition where you can
replace the file).
> and perl (stuff Linux, we're going to do setuid
> scripts).
Perl provides its own mechanism for executing setuid perl scripts, but
it is packaged separately in fedora. You have to install the
perl-suidperl package if you want the feature.
> [1] I don't think Linux is alone here.
>
> What I have done, in Debian and without selinux, where I want CGI to do
> root stuff is to authorise it without passwords via sudo,
Is there some reason to think this is better than the methods provided
by apache or perl?
--
Les Mikesell
lesmikesell at gmail.com
More information about the users
mailing list