Running Hiawatha with root privileges, possible ?

1 September 2010, 10:23

Hiawatha version: 7.3
Operating System: Debian

Folks, is there ANY way to run Hiawatha with root privileges ? I mean, not just start it as root and then suid to nobody/www-data/<userid>, but instead completely run the instance as root ?

I know its bad practice, but my cgi stuff really needs it and setuid for cgi isn't enough.
Hugo Leisink
1 September 2010, 10:38
Although Hiawatha's code is secure, I strongly discourage to do that. Hiawatha uses a lot of external libraries (OpenSSL, XML, XSLT, etc) which could contain an exploitable bug.

A good alternative is to use FastCGI. Write your CGI application as a FastCGI application and run that one as root. More about writing FastCGI applications can be found in the last paragraph of this page.
1 September 2010, 10:51
Thanks Hugo, but my problem is that the CGI code in question is a MONSTER ! Its quite old, quite big, AND necessary for our purposes. Also, I am not capable of modifying it or port it (to FastCGI). I don't build Hiawatha with either of those libs (except ssl). Also, Hiawatha will be listening on, with a reverse proxy (likely, Pound or nginx) listening on the lan interface.

So, is there still a way to run Hiawatha with root privileges, Hugo ? I really want to get it under our current scheme.

Hugo Leisink
1 September 2010, 11:13
Do do so, you have to change the Hiawatha source code. Edit hiawatha.c and remove the 'Change userid' code block starting at line 2011. Start Hiawatha as user root and it will remain running as root. Again, I don't advice you to do so. Use at your own risk!
1 September 2010, 11:18
Hugo, here's the deal. In the current scheme of things, we are using Xitami web server for our purposes. It runs as root. By switching to Hiawatha, at least I can assure my folks that we are using something that's being actively developed, is easily configurable and has secure code. Hence my query to you!

And thanks a lot for that pointer, will try to get it working.

P.S.: Until someone really starts editing that CGI code, this is my only (somewhat) sane solution. Thanks again, Hugo.
This topic has been closed.