CGI Script permissions

Jochen Wiedmann jochen.wiedmann at gmail.com
Fri May 26 06:03:59 UTC 2006


Hi,

I have a CGI script which ought to have some special permissions. In
particular, it ought to invoke a certain command as a certain user. To
achieve that, I have created an entry in the sudoers file, which allows
the httpd user to invoke the command without a password. Now my CGI
script does a

    sudo -u mp /u2/mp/mpbin/mpfak 001

where mp is the special user, mpfak is the necessary command and the
remaining part is the mp programs argument.

However, when the program is invoked, then I see the following message
in syslog:

  May 26 07:49:21 fibudbserver kernel: audit(1148622561.696:14): avc: 
denied  { setrlimit } for  pid=31749 comm="sudo"
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
  May 26 07:49:21 fibudbserver kernel: audit(1148622561.699:15): avc: 
denied  { setgid } for  pid=31749 comm="sudo" capability=6
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
  May 26 07:49:21 fibudbserver kernel: audit(1148622561.699:16): avc: 
denied  { setuid } for  pid=31749 comm="sudo" capability=7
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
  May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:17): avc: 
denied  { search } for  pid=31749 comm="sudo" name="/" dev=sda5 ino=2
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:file_t tclass=dir
  May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:18): avc: 
denied  { setgid } for  pid=31749 comm="sudo" capability=6
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability
  May 26 07:49:21 fibudbserver kernel: audit(1148622561.700:19): avc: 
denied  { setuid } for  pid=31749 comm="sudo" capability=7
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=capability

I must admit, that I do not even understand whether I ought to change my
scripts permissions or the "sudo" programs. I do hesitate to do either.

Can anyone please advice me how to continue? For example, I might as
well invoke sudo from a wrapper script and change that scripts
permissions. Question is: How would I do that?


Regards,

Jochen




More information about the fedora-selinux-list mailing list