CGI Script permissions
Jochen Wiedmann
jochen.wiedmann at gmail.com
Fri May 26 06:03:59 UTC 2006
Hi,
I have a CGI script which ought to have some special permissions. In
particular, it ought to invoke a certain command as a certain user. To
achieve that, I have created an entry in the sudoers file, which allows
the httpd user to invoke the command without a password. Now my CGI
script does a
sudo -u mp /u2/mp/mpbin/mpfak 001
where mp is the special user, mpfak is the necessary command and the
remaining part is the mp programs argument.
However, when the program is invoked, then I see the following message
in syslog:
May 26 07:49:21 fibudbserver kernel: audit(1148622561.696:14): avc:
denied { setrlimit } for pid=31749 comm="sudo"
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
May 26 07:49:21 fibudbserver kernel: audit(1148622561.699:15): avc:
denied { setgid } for pid=31749 comm="sudo" capability=6
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
May 26 07:49:21 fibudbserver kernel: audit(1148622561.699:16): avc:
denied { setuid } for pid=31749 comm="sudo" capability=7
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:17): avc:
denied { search } for pid=31749 comm="sudo" name="/" dev=sda5 ino=2
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:file_t tclass=dir
May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:18): avc:
denied { setgid } for pid=31749 comm="sudo" capability=6
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:19): avc:
denied { setuid } for pid=31749 comm="sudo" capability=7
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
I must admit, that I do not even understand whether I ought to change my
scripts permissions or the "sudo" programs. I do hesitate to do either.
Can anyone please advice me how to continue? For example, I might as
well invoke sudo from a wrapper script and change that scripts
permissions. Question is: How would I do that?
Regards,
Jochen
More information about the fedora-selinux-list
mailing list