[Wellington-pm] perl-suid deprecated, in favour of what?
srdjan at catalyst.net.nz
Tue May 23 15:34:20 PDT 2006
But what if you have sensitive data you don't want to be seen on the command
line, like passwords?
Grant McLean wrote:
> On Wed, 2006-05-24 at 09:42 +1200, Lesley Walker wrote:
>> Thanks guys,
>> This has pretty much turned out to be an Apache question,
> Are you sure? Can the CGI script not get the info you need?
>> so I'll try that keep-env thing, and if that doesn't do what
>> I need I'll go and search some Apache mailing lists.
> Using keep-env wouldn't be my preferred approach. My vote would be for
> the CGI script to get the info it needs and pass it to the priviliged
> script on the command line. Passing things via the environment is
> non-obvious enough without also having to rely on some obscure entry in
> the sudoers file.
> It may seem like the path of least resistance was Peter's suggestion of
> not changing the CGI script but just adding a CGI wrapper that invokes
> the original script via sudo. But from a security perspective it would
> be safer to keep the bulk of your code in the non-priviliged CGI script
> and only extract the specific part which needs special permissions. If
> you just need to read a file then script invoked via sudo would be very
> short and very easy to audit.
> Wellington-pm mailing list
> Wellington-pm at pm.org
More information about the Wellington-pm