From 7bf6a597faf653358d83f6c8ca54843ffc43c782 Mon Sep 17 00:00:00 2001 From: Joe Rayhawk Date: Mon, 27 Dec 2010 01:23:28 -0800 Subject: Bug: cgi gateway: new --- docs/issues/cgi_gateway.mdwn | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 docs/issues/cgi_gateway.mdwn (limited to 'docs/issues/cgi_gateway.mdwn') diff --git a/docs/issues/cgi_gateway.mdwn b/docs/issues/cgi_gateway.mdwn new file mode 100644 index 0000000..3fe9abc --- /dev/null +++ b/docs/issues/cgi_gateway.mdwn @@ -0,0 +1,27 @@ +* Status: [[!taglink open]] +* Assigned to: [[!taglink jblake]] +* Priority: [[!taglink now]] +* Opened by: jrayhawk + +### Discussion + +In order for CGIs to work with the current paradigm, we'd need some mechanism +for Apache to execute the various pinyadmin scripts as the involved user. We can +either do this using sudo, which would require a lot of overhead in making and +maintaining sudoers rules, or using an suid binary that does exactly what we +need. + +Requirements: + +* executable only by www-data +* takes as arguments + * username + * pinyadmin command + * pinyadmin command arguments +* exits if username's uid < 1000 +* exits if username violates piny username constraints (specifically git- and + ikiwiki- are not allowed) +* executes with the appropriate uid/gid the specified pinyadmin command and the + specified arguments + +Obviously any input on this concept is desirable. -- cgit v1.2.3