[Wellington-pm] perl-suid deprecated, in favour of what?
Lesley Walker
LRW at clear.net.nz
Tue May 23 17:41:48 PDT 2006
On Wed, 2006-05-24 at 10:26 +1200, Grant McLean wrote:
> On Wed, 2006-05-24 at 09:42 +1200, Lesley Walker wrote:
> > Thanks guys,
> > This has pretty much turned out to be an Apache question,
>
> Are you sure? Can the CGI script not get the info you need?
I'm still trying to figure out (1) which variables I need and (2) how I
would get the POST data through. This seems very messy.
> It may seem like the path of least resistance was Peter's suggestion of
> not changing the CGI script but just adding a CGI wrapper that invokes
> the original script via sudo. But from a security perspective it would
> be safer to keep the bulk of your code in the non-priviliged CGI script
> and only extract the specific part which needs special permissions. If
> you just need to read a file then script invoked via sudo would be very
> short and very easy to audit.
I think I prefer this approach as well - ie instead of doing "open LOG,
$logfile" I need to open a pipe from a command, right?
But I'm having trouble getting this to work as well. I have written a
little script catmaillog (which obviously chooses the correct log and
cats it), and I can "sudo catmaillog" from the command line as www-data
and it works correctly. But when I run myscript.pl, either from the
command line or via Apache, I get "cannot open: Permission denied".
Oh well, at least it's a little more Perl-relevant now...
LesleyW
More information about the Wellington-pm
mailing list