Discussion
In order for CGIs to work with the current paradigm, we'd need some mechanism for Apache to execute the various pinyadmin scripts as the involved user. We can either do this using sudo, which would require a lot of overhead in making and maintaining sudoers rules, or using an suid binary that does exactly what we need.
Requirements:
- executable only by www-data
- takes as arguments
- username
- pinyadmin command
- pinyadmin command arguments
- exits if username's uid < 1000
- exits if username violates piny username constraints (specifically git- and iki- are not allowed)
- executes with the appropriate uid/gid the specified pinyadmin command and the specified arguments
Obviously any input on this concept is desirable.
jrayhawk 20110121
This appears to be done.