[sf-perl] How to get cgi program to invoke another program as a specific non-privileged user

David Alban extasia at extasia.org
Sat May 19 10:25:03 PDT 2007


I wrote a tool that performs a code build.  It's a command line tool.
I'm not very experienced with web programming, and I'm trying to write
a perl cgi front end to it that pretty much just invokes the build
tool.  This is all on internal networks, so there are no internet
facing components.  This is on linux, with apache.

On the machine in question (release management build server), I
created the (non-privileged) user 'build'.  I want the cgi front end
to invoke the build tool as user build, not as the user that owns the
httpd processes.  I can't figure out how to do this.  I thought about
making the build tool (owned by build:build) setuid.  But I'd rather
not allow anyone with a login on the machine to be able to run the
build tool.

A cow-orker pointed me toward suexec.  But suexec looks like its job
is to run all cgi programs in a domain as a particular non-privileged
user.  I only want the build tool to be run as user build.  I don't
want to change the owner of *any* cgi program, not even my own cgi
front end.

Any suggestions on how to accomplish this without making the build
tool setuid?  Pointers to man pages or other online docs welcome.  Or
do folks pretty much just do the setuid thing?

(Maybe make the build tool setuid but put it down a path only
reachable by user build and the group of the user running the web
server...?)  Is there a better / more web-programming-standard way?

Live in a world of your own, but always welcome visitors.

More information about the SanFrancisco-pm mailing list