Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??
is there some more elegant way to let CGI-scripts somehow do administrative work on a machine?

I've used a few different methods.

If the response of the process isn't immediately important, you can have the CGI process write out a file, that a root owned process will check for, and complete the processing. The directory permissions were such that only the script in question could write to it. (I was using CGIwrap, as it was a netscape server)

If the process had to be run as root, just to modify files, I have set up the server to have abnormal permissions (using facls in Solaris, or just adjusting the files to g+w, and assigning the user to the relevent groups), so that the process didn't have to be run as root, but could be run as another special user that I created. (and again, was using CGIwrap, so I didn't have to give the permission to the user that the webserver was running as).

I've set up sudo to give users specific access, although I've never set it to be passwordless. I would think it would be okay, provided that you ensured that this was the only process that the user was allowed to run under sudo, and didn't do something like

nobody   ALL=(ALL) ALL

I'd probably still use CGIwrap (or suEXEC, if using Apache), so that I'm not giving permission to my entire webserver... but I'm paranoid, from having worked on multi-user systems.

would somehting like that be 'secure enough'

It's hard for us to make that judgement call. (Some folks would argue that the system isn't secure, because it's plugged into the network.) You would have to make the call if the benefits derived from this process are more significant than the potential risks from giving the webserver the ability to run it.

That's going to depend on just what it is that you're doing, and the company's value on it being done. (and the value if it were to stop working suddenly, or the whole webserver to stop working)

I also don't see any advantages to not taking any arguments -- if it's called from CGI, it gets input from environmental variables, not STDIN, so the process still may be subject to tainted input.


In reply to Re: can perl with sudo be 'secure enough'? by jhourcle
in thread can perl with sudo be 'secure enough'? by schweini

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others scrutinizing the Monastery: (5)
As of 2024-04-17 02:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found