Forum

Hiawatha version: 7.3
Operating System: Debian Lenny

Hi, is it possible to run C CGI programs that require root privileges under Hiawatha ? For eg., I have a bunch of C CGI programs that can add system users, read/modify mail queues etc., and they require root privileges for their working. These C CGI programs are a part of a bigger application that has a mix of Perl CGI scripts , and C CGI programs and is basically a server manager.

Currently my setup is to have Apache forwarding such requests to Xitami (which runs on localhost) which handles the requests.

I was trying to do some (bad) guesswork and tried adding CGIextension = cgi in the cgi-wrapper.conf and declare a Wrap that changes to root's id. But that's probably incorrect.

Any pointers/advice in this regard appreciated. Thanks.

chown cgiapp root:www-data
chmod u+s cgiapp
chmod ug+x cgiapp

You may need to add o+x if Hiawatha is not running as part of the www-data group.
The u+s (setuid) bit causes the file to have the privileges of the owning user (in this case root), no matter who executes it. It also represents a huge potential security risk: as the program has privileges, so does anyone who exploits it.

Thanks Nicolas! But am not sure if I follow correctly.

The "cgiapp" in question has an architecture like

<code>ls -l /var/cgiapp

drwxr-xr-x 2 root root 48 2009-03-13 19:57 backup
drwxr-xr-x 8 root root 552 2010-08-31 04:43 bin
drwxr-xr-x 22 root root 608 2010-08-31 04:43 cgi
drwxr-xr-x 2 root root 176 2010-08-31 04:43 css
drwxr-xr-x 3 root root 88 2010-08-31 04:43 data
drwxr-xr-x 2 root root 3696 2010-08-31 04:43 error
drwxr-xr-x 12 admin users 480 2010-08-31 04:45 etc
drwxr-xr-x 3 root root 72 2010-08-31 04:43 include
-rwxr-xr-x 1 root root 66298 2009-03-13 19:57 index.cgi
drwxr-xr-x 2 root root 1512 2010-08-31 04:43 js
drwxr-xr-x 10 root root 248 2010-08-31 04:43 ldap
drwxr-xr-x 3 root root 2632 2010-08-31 04:43 lib
drwxr-xr-x 2 root root 224 2010-08-31 11:22 log
drwxr-xr-x 25 root root 680 2010-08-31 04:43 tmpl
drwxr-xr-x 4 root root 816 2010-08-31 13:51 web_server
</code>

So under cgi/ there are, for example, C CGI programs to add system users, read logs, etc. I am not sure about the www-data reference, since I don't want Apache in the picture, only Hiawatha. Also if it helps in explaining my problem better, this "cgiapp" is like Webmin. So there are modules/scripts for doing various things.

Also, since there is (possibly) no way to do such tasks (as adding system users, changing passwords etc.) without root privileges, what could be a good compromise in this situation ?

Sorry, if the answers to these questions are obvious, but I'd appreciate if I could get some further insight on this.

Ah, never mind...my bad ! Figured it out, what you were suggesting, Nicolas.

I wonder if there's any other (better) way to go around this. Hiawatha can listen on localhost and apache can act as a proxy, but then that would probably defeat the purpose altogether.