Write a little cron job that looks for a flag somewhere and then regenerates your site. You can store the flag in a database, a DBM file, or a temporary file in a directory that you make writable. I'm leery of changing write permissions, especially to 777.

Why are you auto-generating your site?

If it's to restore from some sort of backup (unlikely), you should use some form of FTP method to backup/restore files.

More than likely, you probably run this to generate some sort of custom HTML. Exactly what, I don't know.

I'd like to suggest generating your website on the fly using a healthy dose of SSI and Perl. It's always fresh, always live, and no messy setuid to worry about.

If this is not the case, perhaps you could elaborate on your problem, and we'd love to help.

John J Reiser
newrisedesigns.com

Perhaps some elaboration...
Currently, the website updates itself every night at midnight thru cron. My site isn't just a "hi, I'm cidaris, this is a 3MB bmp of my dog".
Every day, there is between 30 and 100 new pieces of content to add, and the HTML must be generated for it.
Think of a high-end porn site, without the pictures. Stock photo kind of stuff.
Lots of content, fairly organizational.
Lately, I've been aching for some customization. I built a MySQL database to house all the variable info, like table schemes, color schemes, individual images, applicable holidays, etc.
I know this is just screaming "use a templating system!" but I didn't.
The program is done, I just want to run it from the web now, instead of in cron.
I want my admins to be able to go to a page, specify with radio buttons all the options they want, and click 'Go' and the program builds them a site.
So, as is, a script which people call from the web lets them select all these options, change info, update the database, etc.
Once they hit submit on the final "OK, we're all done" page, it calls the site generation program with a single argument, the primary key for the appropriate database table.

The problem is that since the generator program is writing pages in the /htdocs/ folder, it must have better permissions than 'nobody'.
But since Apache (which I've set to run as 'nobody' in accordance with nearly every security discussion agrees on) calls it, it now has 'nobody' permissions and hence, cannot write to htdocs.

I have looked into sudo, and it's looking like that may be the solution. Originally, someone pointed me to CGIWrap, but it's documentation is somewhat sparse.

So, like all (s/wise/lazy/) men, I thought to inquire before I embarked on some large, 3rd party-heavy solution.

Hopefully, I can find some answers.
cidaris

OK, I've made significant progress with a lot of reading.
I have learned more than I wanted to know about the whole setuid issue, and have written a C++ wrapper to call the script and pass the command-line issues. I then gave the C++ program more appropriate access permissions.
I then went through and did all the necessary sanity-checking and untainting of the various data.
I then got to my favorite part of any coding process, debugging!
After several failed attempts, I got


"su -c './perl_run Build' nobody"
[download]

to work correctly.
Thinking I was all but done, I included the system call to the script my $results = system("/usr/local/bin/perl/perl_run", $directive); in my CGI program. Before untainting, I would get -1 for results, which I expected, as it didn't work at that time.

However, now I'm getting 256 (which I believe is actually '1' for success) but here's the catch:
The program isn't running, the site isn't changing, and I'm about to call it quits in favor of a few tall mugs of Newcastle.

Any thoughts?
cidaris