dsheroh has asked for the wisdom of the Perl Monks concerning the following question:
My situation:
I've put some code together on a Debian Linux (mostly-)potato box that runs primarily as a web-based app, but also has a command-line print utility. Its configuration includes a database password, so I put the config into a file under /etc with permissions 0640 owned by me.www-data.
The problem, of course, is that, although this works fine for apache running it, the command-line utility isn't able to read the config when run by mortal users. I could add the users who need access to group www-data so they can read it, but, well, that would be the wrong solution and I don't want them to be able to read the file directly anyhow.
The obvious solution, then, was to change the ownership of the command-line script to group www-data and make it sgid.
The obvious solution doesn't work. With sgid set, everyone except root gets "Permission denied." when they try to execute the print utility. Changing the #!/usr/bin/perl to point at suidperl instead produces the error "Script is not setuid/setgid in suidperl" if the script is not sgid and "Permission denied." if it is sgid. (After trying this, I found a node here saying not to try running suipdperl directly, so I've undone that and am just mentioning it for completeness.)
So, what do I need to do to make this work without adding all users of the command-line utility to group www-data or making the config file world-readable?
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
|
Re: Getting perl code to run sgid
by derby (Abbot) on May 22, 2002 at 15:23 UTC | |
by dsheroh (Monsignor) on May 22, 2002 at 15:31 UTC | |
by derby (Abbot) on May 22, 2002 at 15:45 UTC | |
|
Re: Getting perl code to run sgid
by dsheroh (Monsignor) on May 22, 2002 at 16:03 UTC |