[Wellington-pm] perl-suid deprecated, in favour of what?
Ewen McNeill
ewen at naos.co.nz
Mon May 22 21:42:35 PDT 2006
In message <1148358092.31782.32.camel at localhost.localdomain>, Lesley Walker writes:
>On Tue, 2006-05-23 at 16:19 +1200, Peter C. Kelly wrote:
>> How about using sudo?
>
>How exactly would I go about doing that? This is a CGI script.
www-data ALL = (mail) NOPASSWD: /usr/local/bin/analyzelogs
Which says the "www-data" user (which is what Apache runs as in Debian,
at least by default), can run the command "/usr/local/bin/analyzelogs"
as the "mail" user, without providing a password. (The "ALL =" bit
means that it can do this on any host that the entry is present in
the /etc/sudoers file.)
Then the script would call:
sudo -u mail /usr/local/bin/analyzelogs
Sudo would probably be my suggestion in this situation too; I've used it
for other batch-script privilege-required automation quite successfully.
The next best solution is a C program which can be setuid, either to do
the whole task or to run the perl program as the appropriate user (with
taint turned on, etc).
Ewen
PS: sudo tip -- sudo processes the configuration file from top to bottom
overwriting abilities as it goes, so the last rule wins. This is
confusing if one is expecting, eg, the most specific rule to win.
So place exceptions like the above at the bottom of the /etc/sudoers
file.
More information about the Wellington-pm
mailing list