[Wellington-pm] perl-suid deprecated, in favour of what?

Lesley Walker LRW at clear.net.nz
Tue May 23 17:41:48 PDT 2006


On Wed, 2006-05-24 at 10:26 +1200, Grant McLean wrote:
> On Wed, 2006-05-24 at 09:42 +1200, Lesley Walker wrote:
> > Thanks guys,
> > This has pretty much turned out to be an Apache question, 
> 
> Are you sure?  Can the CGI script not get the info you need?

I'm still trying to figure out (1) which variables I need and (2) how I
would get the POST data through. This seems very messy.

> It may seem like the path of least resistance was Peter's suggestion of
> not changing the CGI script but just adding a CGI wrapper that invokes
> the original script via sudo.  But from a security perspective it would
> be safer to keep the bulk of your code in the non-priviliged CGI script
> and only extract the specific part which needs special permissions.  If
> you just need to read a file then script invoked via sudo would be very
> short and very easy to audit.

I think I prefer this approach as well - ie instead of doing "open LOG,
$logfile" I need to open a pipe from a command, right?

But I'm having trouble getting this to work as well.  I have written a
little script catmaillog (which obviously chooses the correct log and
cats it), and I can "sudo catmaillog" from the command line as www-data
and it works correctly. But when I run myscript.pl, either from the
command line or via Apache, I get "cannot open: Permission denied".

Oh well, at least it's a little more Perl-relevant now...

LesleyW




More information about the Wellington-pm mailing list