Tags:
create new tag
view all tags

In Using Unix Groups For TWiki Security I describe, well, Using Unix Groups For TWiki Security.

Different Security Levels In Same TWiki Installation and Multiple Separate TWiki Installations For Security describes schemes for Using Unix Groups For TWiki Security.

I have encountered one problem:

I am a fairly ordinary user at the company site where I am installing this wiki. I can run cgi scripts, but I don't have root (and don't want it - I could get it if necessary, but then they might expect me to do more sysadmin).

The Apache webserver runs as user=www, group=www. This would be fine for Using Unix Groups For TWiki Security.

Except... user=www was placed in an additional UNIX group that almost all users are in. This is using the BSD-like supplementary groups system. Let's call it group "global".

And, problem, I want all of the files to be readable by members of group global. I do not want to have to create a group which is "everyone in group global, except for the webserver www".

You would think that I could use setgroups to "drop the group global from the supplementary group list - but on LINUX and SunOS, at least, I cannot do that unless running as root. I could write some setuid root scripts to do this, but the old secure system administrator in me objects to that.

If I had filesystem ACLs I could accomplish this...

But, basically, the problem is that my webserver has been given too much privilege, undoubtedly to make some naive cgi script easier to run, and as a result I cannot make it sufficiently unprivileged to be as secure as I would like it to be.

Advice appreciated, if there's a standard UNIX solution to this that I do not see.

-- AndyGlew - 15 Apr 2003

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2004-01-01 - SvenDowideit
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.