[Wellington-pm] perl-suid deprecated, in favour of what?

Grant McLean grant at mclean.net.nz
Tue May 23 15:26:31 PDT 2006

On Wed, 2006-05-24 at 09:42 +1200, Lesley Walker wrote:
> Thanks guys,
> This has pretty much turned out to be an Apache question, 

Are you sure?  Can the CGI script not get the info you need?

> so I'll try that keep-env thing, and if that doesn't do what 
> I need I'll go and search some Apache mailing lists.

Using keep-env wouldn't be my preferred approach.  My vote would be for
the CGI script to get the info it needs and pass it to the priviliged
script on the command line.  Passing things via the environment is
non-obvious enough without also having to rely on some obscure entry in
the sudoers file.

It may seem like the path of least resistance was Peter's suggestion of
not changing the CGI script but just adding a CGI wrapper that invokes
the original script via sudo.  But from a security perspective it would
be safer to keep the bulk of your code in the non-priviliged CGI script
and only extract the specific part which needs special permissions.  If
you just need to read a file then script invoked via sudo would be very
short and very easy to audit.


More information about the Wellington-pm mailing list