[Wellington-pm] perl-suid deprecated, in favour of what?

Grant McLean grant at mclean.net.nz
Mon May 22 21:48:23 PDT 2006

On Tue, 2006-05-23 at 16:21 +1200, Lesley Walker wrote:
> On Tue, 2006-05-23 at 16:19 +1200, Peter C. Kelly wrote:
> > How about using sudo?
> How exactly would I go about doing that?  This is a CGI script.

Sudo is the right answer.  The fact that it's a CGI script means that
you'll need two scripts.  Move that code that needs special permissions
into its own script and then your CGI script can run that script via
sudo and collect its output.

For example your CGI script might include this line:

  my $log_data = `/usr/bin/sudo -u loguser /path/to/priviliged/script

The sudoers file might include a line like this:

  www-data  ALL = (loguser) NOPASSWD: /path/to/priviliged/script

The net result is that the www-data user has the ability to run the
privileged script as the user 'loguser'.  The www-data user can't modify
that script and is therefore limited to doing whatever that script

Using the setuid or setgid approach, the www-data user would have the
ability to do anything that the user or group permissions allowed.

Good luck

More information about the Wellington-pm mailing list