[Wellington-pm] perl-suid deprecated, in favour of what?

Srdjan srdjan at catalyst.net.nz
Tue May 23 15:34:20 PDT 2006

But what if you have sensitive data you don't want to be seen on the command 
line, like passwords?

Grant McLean wrote:
> On Wed, 2006-05-24 at 09:42 +1200, Lesley Walker wrote:
>> Thanks guys,
>> This has pretty much turned out to be an Apache question, 
> Are you sure?  Can the CGI script not get the info you need?
>> so I'll try that keep-env thing, and if that doesn't do what 
>> I need I'll go and search some Apache mailing lists.
> Using keep-env wouldn't be my preferred approach.  My vote would be for
> the CGI script to get the info it needs and pass it to the priviliged
> script on the command line.  Passing things via the environment is
> non-obvious enough without also having to rely on some obscure entry in
> the sudoers file.
> It may seem like the path of least resistance was Peter's suggestion of
> not changing the CGI script but just adding a CGI wrapper that invokes
> the original script via sudo.  But from a security perspective it would
> be safer to keep the bulk of your code in the non-priviliged CGI script
> and only extract the specific part which needs special permissions.  If
> you just need to read a file then script invoked via sudo would be very
> short and very easy to audit.
> Cheers
> Grant
> _______________________________________________
> Wellington-pm mailing list
> Wellington-pm at pm.org
> http://mail.pm.org/mailman/listinfo/wellington-pm

More information about the Wellington-pm mailing list