[Wellington-pm] perl-suid deprecated, in favour of what?
Grant McLean
grant at mclean.net.nz
Mon May 22 21:48:23 PDT 2006
On Tue, 2006-05-23 at 16:21 +1200, Lesley Walker wrote:
> On Tue, 2006-05-23 at 16:19 +1200, Peter C. Kelly wrote:
> > How about using sudo?
>
> How exactly would I go about doing that? This is a CGI script.
Sudo is the right answer. The fact that it's a CGI script means that
you'll need two scripts. Move that code that needs special permissions
into its own script and then your CGI script can run that script via
sudo and collect its output.
For example your CGI script might include this line:
my $log_data = `/usr/bin/sudo -u loguser /path/to/priviliged/script
$args`;
The sudoers file might include a line like this:
www-data ALL = (loguser) NOPASSWD: /path/to/priviliged/script
The net result is that the www-data user has the ability to run the
privileged script as the user 'loguser'. The www-data user can't modify
that script and is therefore limited to doing whatever that script
allows.
Using the setuid or setgid approach, the www-data user would have the
ability to do anything that the user or group permissions allowed.
Good luck
Grant
More information about the Wellington-pm
mailing list