On Tue, Oct 22, 2002 at 09:40:26PM -0500, Brad Fritz wrote: > > > How could I get around this? > > I think the most secure solution would be to write a minimal > C program that sets ip_nonlocal_bind and run it setuid root. > There was some discussion of this awhile back on leaf-user or > leaf-devel surrounding Jon Clausen's "blinder" project, IIRC.
YRC: My problem was a little different, but the same principles apply. In order to get cron to notice that a new crontab file was installed, I needed to get the timestamp of the directory /var/spool/cron/crontabs updated. The directory is owned by root, so I basically had two options: run sh-httpd as root (not a great ideda), or make an suid binary that does "something" in the directory. I went with option two, and got some help creating a tiny little C program that creates a file "notify" in that dir, and erases it again immediately. This operation had the desired effect, and all was good. The way it's done, is that the program has paths/filename hardcoded in it, and takes no arguments, so there is very little possibility of (direct) misuse. So "anyone" can execute it, and have cron update it's knowledge of crontabs on the system. Adapting that program to do what you need is probably not that difficult. I'd be happy to take a stab at it, but I'm not really a C programmer (yet anyway). > Less secure would be to do the same thing with a setuid shell > script. It's my understanding that shell scripts will not work suid. (I did try that out before turning to C, it never worked, and I seem to remember seeing an explanation of why it doesn't work somewhere...) CCMIW > Probably the least secure would be to run weblet as root rather -and since your host *is* a firewall (which my "Blinder" system is *not*), I'd advice against that. > > I tried using both chmod and chown on > > ip_masq_udp_dloose to allow weblet access, but nothing happens. The > > commands act as if they worked, but the permissions don't change. It seems > > a bit odd to me. > > Not positive, but I think that's probably because it is part of > the /proc pseudo filesystem. Sounds reasonable... (?) HTH Jon Clausen ------------------------------------------------------- This sf.net emial is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0002en _______________________________________________ leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
