[mod_python] setuid functionality in mod_python

Stefan C. Kremer skremer at q.cis.uoguelph.ca
Thu Apr 29 11:48:44 EST 2004


I am porting a series of web-pages/CGI scripts to mod python.  I've really enjoyed this and have even managed to cobble together my own request handler that suits my purposes very well.

The one thing that has always bother me is how to duplicate the functionality I previously had with setuid CGI scripts.

For example if I want to read or write to a file on the server side or connect to a database on the server, I used to create CGI scrips that were either themselves setuid or were called from a CGI wrapper that was setuid.  This gave the ability to run certain operations with a power greater than that of the "nobody/apache" user, but still restrict access to virtually every other resource on my machine (by creating a user that is slightly more powerful than the "nobody" user).

I realize that my mod_python script can call an executable wrapper with setuid on which in tern calls another python script, but that seems kind of painful.

Is there a better solution?


P.S. This is a great list.  I am amazed by the number of repliers who are highly knowledgible, patient and polite.

Permanently                             Temporarily (Until Aug. 2004)
Dr. Stefan C. Kremer, Associate Prof.   Visiting Researcher
Reynolds Building, 106                  307 Computer Science/Engineering Bldg
Dept. of Computing & Info. Science      School of Info. & Computer Science
University of Guelph, Guelph, Ontario     U of California at Irvine, Irvine, CA
N1G 2W1                                 92697-3425
Tel: (519)824-4120 Ext.58913
Fax: (519)837-0323

WWW: http://q.cis.uoguelph.ca/~skremer  E-mail:  skremer at uoguelph.ca

More information about the Mod_python mailing list