[sf-perl] How to get cgi program to invoke another program as a specific non-privileged user

David Fetter david at fetter.org
Sat May 19 10:52:27 PDT 2007


On Sat, May 19, 2007 at 10:25:03AM -0700, David Alban wrote:
> Greetings,
> 
> I wrote a tool that performs a code build.  It's a command line
> tool.  I'm not very experienced with web programming, and I'm trying
> to write a perl cgi front end to it that pretty much just invokes
> the build tool.  This is all on internal networks, so there are no
> internet facing components.  This is on linux, with apache.
> 
> On the machine in question (release management build server), I
> created the (non-privileged) user 'build'.  I want the cgi front end
> to invoke the build tool as user build, not as the user that owns
> the httpd processes.  I can't figure out how to do this.  I thought
> about making the build tool (owned by build:build) setuid.  But I'd
> rather not allow anyone with a login on the machine to be able to
> run the build tool.
> 
> A cow-orker pointed me toward suexec.  But suexec looks like its job
> is to run all cgi programs in a domain as a particular
> non-privileged user.  I only want the build tool to be run as user
> build.  I don't want to change the owner of *any* cgi program, not
> even my own cgi front end.
> 
> Any suggestions on how to accomplish this without making the build
> tool setuid?  Pointers to man pages or other online docs welcome.
> Or do folks pretty much just do the setuid thing?
> 
> (Maybe make the build tool setuid but put it down a path only
> reachable by user build and the group of the user running the web
> server...?)  Is there a better / more web-programming-standard way?

I think you might want to look into the fine-grained control that sudo
provides.  You can, for example, allow the "nobody" user to execute
exactly one command without password authentication as the "build"
user.

Yeah, I know it's not the perliest thing to do, but perl isn't the
right tool for *every* job :)

Cheers,
D
-- 
David Fetter <david at fetter.org> http://fetter.org/
phone: +1 415 235 3778        AIM: dfetter666
                              Skype: davidfetter

Remember to vote!
Consider donating to PostgreSQL: http://www.postgresql.org/about/donate


More information about the SanFrancisco-pm mailing list