[Wellington-pm] perl-suid deprecated, in favour of what?

Ewen McNeill ewen at naos.co.nz
Mon May 22 21:42:35 PDT 2006

In message <1148358092.31782.32.camel at localhost.localdomain>, Lesley Walker writes:
>On Tue, 2006-05-23 at 16:19 +1200, Peter C. Kelly wrote:
>> How about using sudo?
>How exactly would I go about doing that?  This is a CGI script.

www-data  ALL = (mail) NOPASSWD: /usr/local/bin/analyzelogs

Which says the "www-data" user (which is what Apache runs as in Debian,
at least by default), can run the command "/usr/local/bin/analyzelogs"
as the "mail" user, without providing a password.  (The "ALL =" bit
means that it can do this on any host that the entry is present in
the /etc/sudoers file.)

Then the script would call:

sudo -u mail /usr/local/bin/analyzelogs

Sudo would probably be my suggestion in this situation too; I've used it
for other batch-script privilege-required automation quite successfully.
The next best solution is a C program which can be setuid, either to do
the whole task or to run the perl program as the appropriate user (with
taint turned on, etc).


PS: sudo tip -- sudo processes the configuration file from top to bottom
    overwriting abilities as it goes, so the last rule wins.  This is 
    confusing if one is expecting, eg, the most specific rule to win.
    So place exceptions like the above at the bottom of the /etc/sudoers

More information about the Wellington-pm mailing list