suid me perl scripts and @INC (code)

deprecated has asked for the wisdom of the Perl Monks concerning the following question:

Um, I feel totally retarded. I have a ksh script that calls quite a few perl scripts to update the database, which is being called from a cgi script on a different machine:

[ localbox ] { cgi } -- [ telnet ] --> [ remotebox ] { ksh -> perl }
[download]

Since I dont want _my_ password, or a user with write privs to be stored in the script, im using a temporary user, say "foouser." but when foouser tries to execute my scripts, it gets all kinds of errors about modules not being found in @INC which are clearly there. I got a little irritated, and even ran a chmod -R a+r $HOMEDIR/perl/ , and that didnt work... it doesnt work making the ksh script u+s me either. What the heck do I have to do to make the script work for other users?

thanks,
brother dep.

--
Laziness, Impatience, Hubris, and Generosity.

Comment on suid me perl scripts and @INC (code) Download Code

Replies are listed 'Best First'.
Re: suid me perl scripts and @INC (code) by Masem (Monsignor) on Aug 27, 2001 at 23:00 UTC
I believe you need to make sure that any directories that you want shared to be o+rx from that directory and up (Yes, this means you need to have your home dir +rx as well, which raises the big "this sucks" flag). A better solution would be to create a new group under unix, adding yourself and your temp user to this group. Then, chgrp your home dir and perl dir (and sub dirs from there) to this new group, then g+rx those same dirs. Before you do that, I would also make sure to g-rwx all files in your home dir, and possibly move sensitive files to a different folder that is only u+rwx, so that only you can modify and view them incase the temporary user is hacked; all they'd be able to do would be able to see what files you have in ~, and what you have in the perl directory. Alternatively, talk to your sysops about created a shared group directory outside of your home node, and that's even more secure. Again, you'd want to have a group to limit who sees it. ----------------------------------------------------- Dr. Michael K. Neylon - mneylon-pm@masemware.com \|\| "You've left the lens cap of your mind on again, Pinky" - The Brain It's not what you know, but knowing how to find it if you don't know that's important	[reply]
Re: suid me perl scripts and @INC (code) by idnopheq (Chaplain) on Aug 27, 2001 at 23:00 UTC
Hola, deprecated! Perhaps passing a perl -Idirectory perlfile in the ksh script? Or have you done that? Also, you could try tweeking the .profile file for the user. UPDATE: I like masem's better. Also, if you have access, try logging in directly as the user and see what happens. HTH -- idnopheq Apply yourself to new problems without preparation, develop confidence in your ability to to meet situations as they arrise. ~ Shunryu Suzuki	[reply]
Re: suid me perl scripts and @INC (code) by suaveant (Parson) on Aug 27, 2001 at 22:57 UTC
I am actually working on a suid c wrapper for perl scripts that passes a protected conf file to a perl script that runs unprotected... I hope to have it presentable some time this week if you want to try it out... - Ant - Some of my best work - Fish Dinner	[reply]

Back to Seekers of Perl Wisdom