Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

can perl with sudo be 'secure enough'?

by schweini (Friar)
on May 17, 2005 at 22:35 UTC ( [id://458023]=perlquestion: print w/replies, xml ) Need Help??

schweini has asked for the wisdom of the Perl Monks concerning the following question:

Hi, all

I vaguely remember that suidperl (couldn't find its website, By the way?) was littered with security problems, and was (planned to be?) discontinued.
Yet, now i have to allow some CGI-invoked processes to be able to execute some perl scripts that really should be suid root, so my plan was to allow apache to call these scripts via sudo, and tell sudo not to prompt for a password.
additionally, the called scripts will (hopefully) do some additional checks regarding who called them when and how to determine whether everything's fine, and they wont take any arguments (just to avoid any potential pitfalls).
would somehting like that be 'secure enough', or is there some more elegant way to let CGI-scripts somehow do administrative work on a machine? how does webmin do this?

thanks,
-schweini

Replies are listed 'Best First'.
Re: can perl with sudo be 'secure enough'?
by dug (Chaplain) on May 17, 2005 at 23:39 UTC
    so my plan was to allow apache to call these scripts via sudo, and tell sudo not to prompt for a password.
    As of perl 5.6.1 (see perl561delta for details) what you describe is the suggested way. If you want to be extra paranoid (obviously I can't know what "secure enough" for your environment is ;-) you could chroot the scripts as well.

    -- Douglas Hunter
[reply]
[d/l]
Re: can perl with sudo be 'secure enough'?
by gam3 (Curate) on May 17, 2005 at 23:09 UTC
    This should be safe. It sounds like you are only trusting apache to run these scripts as root.

    I don't know what you are trying to do, but you might not need to be root. Look into setting up a user with groups to run these scripts as a user other than root.

    -- gam3
    A picture is worth a thousand words, but takes 200K.
[reply]
      I wrote this node a long time ago (anonymously), where I gave a little more detail about how to set up security like this using groups.

      buckaduck

[reply]
Re: can perl with sudo be 'secure enough'?
by jhourcle (Prior) on May 18, 2005 at 11:57 UTC
    is there some more elegant way to let CGI-scripts somehow do administrative work on a machine?

    I've used a few different methods.

    If the response of the process isn't immediately important, you can have the CGI process write out a file, that a root owned process will check for, and complete the processing. The directory permissions were such that only the script in question could write to it. (I was using CGIwrap, as it was a netscape server)

    If the process had to be run as root, just to modify files, I have set up the server to have abnormal permissions (using facls in Solaris, or just adjusting the files to g+w, and assigning the user to the relevent groups), so that the process didn't have to be run as root, but could be run as another special user that I created. (and again, was using CGIwrap, so I didn't have to give the permission to the user that the webserver was running as).

    I've set up sudo to give users specific access, although I've never set it to be passwordless. I would think it would be okay, provided that you ensured that this was the only process that the user was allowed to run under sudo, and didn't do something like

    nobody   ALL=(ALL) ALL

    I'd probably still use CGIwrap (or suEXEC, if using Apache), so that I'm not giving permission to my entire webserver... but I'm paranoid, from having worked on multi-user systems.

    would somehting like that be 'secure enough'

    It's hard for us to make that judgement call. (Some folks would argue that the system isn't secure, because it's plugged into the network.) You would have to make the call if the benefits derived from this process are more significant than the potential risks from giving the webserver the ability to run it.

    That's going to depend on just what it is that you're doing, and the company's value on it being done. (and the value if it were to stop working suddenly, or the whole webserver to stop working)

    I also don't see any advantages to not taking any arguments -- if it's called from CGI, it gets input from environmental variables, not STDIN, so the process still may be subject to tainted input.

[reply]
[d/l]
Re: can perl with sudo be 'secure enough'?
by etcshadow (Priest) on May 18, 2005 at 02:58 UTC
    It's also good practice to write these perl scripts to use the -T taint-check flag. It makes the coding a little more tricky, but worth it. 
    ------------
:Wq
Not an editor command: Wq

    [download]
[reply]
[d/l]
Re: can perl with sudo be 'secure enough'?
by ghenry (Vicar) on May 18, 2005 at 07:49 UTC

    I have just done this. I was tempted to do it with a c wrapper or with suexec using Apache, but I was running the CGI stuff under a virutal host.

    I decided to do it with sudo and no password, with the -T option for perl.

    HTH.

    Walking the road to enlightenment... I found a penguin and a camel on the way.....
    Fancy a yourname@perl.me.uk? Just ask!!!
[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://458023]
Approved by gam3
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (6)
As of 2024-04-19 13:07 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found