Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

forcing script to run as specific user

by c (Hermit)
on Jun 05, 2002 at 19:49 UTC ( #171971=perlquestion: print w/replies, xml ) Need Help??

c has asked for the wisdom of the Perl Monks concerning the following question:

I have a feeling the short answer to this question is 'use cvs' but i'm foraging ahead since i have no experience with cvs and a fair amount with rcs...

I'm writing a script that will pull down router configs via tftp and I would like them to be written to an rcs guarded file on the server. Checking out the config is not a problem, however rcs only gives write permission to the file owner. Tftpd writes files as 'nobody'. In the hopes of checking the config file out as 'nobody' I did a

chown nobody scriptname
chmod 4755 scriptname

But to no avail. The script still checks out the config file from rcs as the actual uid of the individual running the script. Is this something I need to follow up with in my script's code, or am I just not understanding using the setuid bit? My code snip is as follows:

#!/usr/bin/perl -w use strict; use Net::SNMP; use Rcs; my $rcs = Rcs->new; $rcs->rcsdir("/usr/local/tftp/RCS"); $rcs->file("router.cfg"); $rcs->co('-l'); &copy_config_from_tftp; $rcs->ci('-u');

Replies are listed 'Best First'.
Re: forcing script to run as specific user
by vladb (Vicar) on Jun 05, 2002 at 20:13 UTC
    As far as I know it, there's no easy way of doing this from within perl. Once the script is launched, you can't change it's 'owner' from inside the script. However, in many cases when I had to deal with a similar problem, I found 'sudo' shell command rather useful.

    (from the man page) The command..

    allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file.

    So, if I wanted to run your script as user 'nobody', I'll simply go:
    home:vlad> sudo -u nobody myscript

    UPDATE: as an afterthought, I guess you could try crafting a perl wrapper script that'll do nothing but execute a system command like so: "su nobody; $command". But, again, that could be as easily accomplished outside of Perl.

    $"=q;grep;;$,=q"grep";for(`find . -name ".saves*~"`){s;$/;;;/(.*-(\d+) +-.*)$/; $_=["ps -e -o pid | "," $2 | "," -v "," "];`@$_`?{print"+ $1"}:{print" +- $1"}&&`rm $1`; print$\;}
Re: forcing script to run as specific user
by robobunny (Friar) on Jun 05, 2002 at 20:32 UTC
    there is an element of OS dependence here. for example:
    print "real userID: $<\n"; print "effective userID: $>\n";
    then chown nobody / chmod 4755 and

    on linux the output is (20039 is my UID, nobody is 99):
    real userID: 20039
    effective userID: 20039

    but on solaris:
    real userID: 20039
    effective userID: 99

    take a look at 'perldoc perlsec' for more info on setuid scripts. i believe you'll need to run the 'suidperl' binary to do what you want to do.
      take a look at 'perldoc perlsec' for more info on setuid scripts. i believe you'll need to run the 'suidperl' binary to do what you want to do.

      As there are numerous complications with setuid scripts and suidperl *, I would go for the sudo option mentioned above.

      * See this entry in the perldelta manpage for 5.8.0 rc1:

      After years of trying the suidperl is considered to be too complex to ever be considered truly secure. The suidperl functionality is likely to be removed in a future release.

      -- Joost downtime n. The period during which a system is error-free and immune from user input.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://171971]
Approved by Zaxo
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (3)
As of 2023-01-29 03:10 GMT
Find Nodes?
    Voting Booth?

    No recent polls found