From 7bf6a597faf653358d83f6c8ca54843ffc43c782 Mon Sep 17 00:00:00 2001
From: Joe Rayhawk <jrayhawk@richardiv.omgwallhack.org>
Date: Mon, 27 Dec 2010 01:23:28 -0800
Subject: Bug: cgi gateway: new

---
 docs/issues/cgi_gateway.mdwn | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 docs/issues/cgi_gateway.mdwn

(limited to 'docs')

diff --git a/docs/issues/cgi_gateway.mdwn b/docs/issues/cgi_gateway.mdwn
new file mode 100644
index 0000000..3fe9abc
--- /dev/null
+++ b/docs/issues/cgi_gateway.mdwn
@@ -0,0 +1,27 @@
+* Status: [[!taglink open]]          <!-- Choose one:         open, closed -->
+* Assigned to: [[!taglink jblake]] <!-- Choose one or more: jrayhawk, jblake -->
+* Priority: [[!taglink now]]         <!-- Choose one:         now, soon, later -->
+* Opened by: jrayhawk
+
+### Discussion
+
+In order for CGIs to work with the current paradigm, we'd need some mechanism
+for Apache to execute the various pinyadmin scripts as the involved user. We can
+either do this using sudo, which would require a lot of overhead in making and
+maintaining sudoers rules, or using an suid binary that does exactly what we
+need.
+
+Requirements:
+
+* executable only by www-data
+* takes as arguments
+  * username
+  * pinyadmin command
+  * pinyadmin command arguments
+* exits if username's uid < 1000
+* exits if username violates piny username constraints (specifically git- and
+  ikiwiki- are not allowed)
+* executes with the appropriate uid/gid the specified pinyadmin command and the
+  specified arguments
+
+Obviously any input on this concept is desirable.
-- 
cgit v1.2.3