[sf-perl] How to get cgi program to invoke another program as a specific non-privileged user
David Fetter
david at fetter.org
Sat May 19 10:52:27 PDT 2007
On Sat, May 19, 2007 at 10:25:03AM -0700, David Alban wrote:
> Greetings,
>
> I wrote a tool that performs a code build. It's a command line
> tool. I'm not very experienced with web programming, and I'm trying
> to write a perl cgi front end to it that pretty much just invokes
> the build tool. This is all on internal networks, so there are no
> internet facing components. This is on linux, with apache.
>
> On the machine in question (release management build server), I
> created the (non-privileged) user 'build'. I want the cgi front end
> to invoke the build tool as user build, not as the user that owns
> the httpd processes. I can't figure out how to do this. I thought
> about making the build tool (owned by build:build) setuid. But I'd
> rather not allow anyone with a login on the machine to be able to
> run the build tool.
>
> A cow-orker pointed me toward suexec. But suexec looks like its job
> is to run all cgi programs in a domain as a particular
> non-privileged user. I only want the build tool to be run as user
> build. I don't want to change the owner of *any* cgi program, not
> even my own cgi front end.
>
> Any suggestions on how to accomplish this without making the build
> tool setuid? Pointers to man pages or other online docs welcome.
> Or do folks pretty much just do the setuid thing?
>
> (Maybe make the build tool setuid but put it down a path only
> reachable by user build and the group of the user running the web
> server...?) Is there a better / more web-programming-standard way?
I think you might want to look into the fine-grained control that sudo
provides. You can, for example, allow the "nobody" user to execute
exactly one command without password authentication as the "build"
user.
Yeah, I know it's not the perliest thing to do, but perl isn't the
right tool for *every* job :)
Cheers,
D
--
David Fetter <david at fetter.org> http://fetter.org/
phone: +1 415 235 3778 AIM: dfetter666
Skype: davidfetter
Remember to vote!
Consider donating to PostgreSQL: http://www.postgresql.org/about/donate
More information about the SanFrancisco-pm
mailing list