On 23 January 1999, Stephan Zegherd <inverter(_at_)nbs(_dot_)it> wrote:
I want to write a small CGI in C (opps.. have some throubles in
Perl..) in order to add/remove on a per-user basis, with a simple
frontend, some rules to .procmailrc.
Every user should logon with username/password, then (un)check some
simple hardwired rules: the cgi then will update the .procmailrc file
in the right user directory.
I knew that I'm a bit off-topic.. but.. in your opinion what is the
best (or, more precilely, safer) solution to get the work done (apache
is running as nobody) ?
IMHO the safer solution is: DON'T. Don't even think about it.
In order to be able to write to an user's .procmailrc, your CGI
would need to be SUID root (or at least it should be called from a
SUID root wrapper, such as suexec). Unless you maintained a dozen
security-sensitive packages on a dozen different platforms for at least
a dozen years (ok, I'm exaggerating, but you got the idea...), this is a
recipe for disaster. Write a nice GUI .procmailrc editor if you must,
but forget about making it a CGI.
Regards,
Liviu Daia
--
Dr. Liviu Daia e-mail: Liviu(_dot_)Daia(_at_)imar(_dot_)ro
Institute of Mathematics web page: http://www.imar.ro/~daia
of the Romanian Academy PGP key: http://www.imar.ro/~daia/daia.asc