runas - Run a program under a specific user / group (poor man's suexec)

peter (Peter Cooperx) — Thu, 10 Apr 2008 08:07:10 GMT

#!/usr/bin/env ruby



# runas - Run another program under the privileges of a specified user and group.

# This is necessary because sudo demands a password, as we need it to be hands off.

# A poor man's suexec basically.



require 'etc'



user, group, cmd = ARGV



begin

  uid = Etc.getpwnam(user).uid

  gid = Etc.getgrnam(group).gid



  unless Process.euid == uid && Process.egid == gid

    Process.initgroups(user, gid)

    Process::GID.change_privilege(gid)

    Process::UID.change_privilege(uid)

  end



  exec cmd

rescue

  puts "Could not run as #{user}:#{group}"

  exit 1

end

Usage example: ./runas username groupname "sleep 10"

Suexec'ed PHP-FastCGI on Apache2

jason (Jason Hoffman) — Fri, 08 Apr 2005 19:18:10 GMT

A PHP cgi binary compiled with fcgi support



> /usr/local/www/cgi-bin/php5-fcgi -v

PHP 5.0.3 (cgi-fcgi) (built: Dec 30 2004 22:44:32)

Central config in httpd.conf





FastCgiIpcDir /usr/local/www/fcgi_ipc/tmp

AddHandler fastcgi-script .fcgi

FastCgiSuexec /usr/local/sbin/suexec

FastCgiConfig -singleThreshold 100 -killInterval 300 -autoUpdate -idle-timeout 240 -pass-header HTTP_AUTHORIZATION





Options ExecCGI        

SetHandler fastcgi-script

In a virtual host



SuexecUserGroup ${USER} ${GROUP}

ScriptAlias /php-fastcgi/ ${HOME}/php-fastcgi/ 

AddType application/x-httpd-fastphp .php

Action application/x-httpd-fastphp /php-fastcgi/php5-fcgi

And then the ${HOME}/php-fastcgi/php5-fcgi wrapper



#!/bin/sh 

PHPRC="/usr/local/etc" 

export PHPRC 

PHP_FCGI_CHILDREN=8 

export PHP_FCGI_CHILDREN 

PHP_FCGI_MAX_REQUESTS=5000 

export PHP_FCGI_MAX_REQUESTS 

exec /usr/local/www/cgi-bin/php5-fcgi

The PHPRC environment sets the directory where php.ini is to be found

DZone Snippets: suexec code

runas - Run a program under a specific user / group (poor man's suexec)

Suexec'ed PHP-FastCGI on Apache2