traveler has asked for the wisdom of the Perl Monks concerning the following question:

I have a nice little perl script that accesses some data in a Linux file. I used to run it setuid with suidperl, but then switched to sudo (which I generally prefer) when the system got it. Now I need to run that little proggie on Windows XP. The program has a data file that multiple users need to change (since only my program does the changing, I use flock). Clearly if I give everyone read permission, unauthorized users can read it; if I give everyone write permission, well, anyone can mangle the file. The latter is a bigger problem for me.

In the absence of setuid or sudo, is there something I can do or install on XP so I can use this program there? I know zonealarm blocks net access based on what program requests it. Is there some way I can write a service in perl that only allows access to a particular file by a particular program?

All ideas welcome. Thanks! --traveler

Replies are listed 'Best First'.
Re: suidperl/sudo function-alike on Win32
by Thelonius (Priest) on Mar 01, 2003 at 02:33 UTC
    Here is the only way I know to do it. You write your program in two parts. One part runs as a service with access to the file. The other part is a client, which connects to the service via a named pipe. You can use SECURITY_SQOS_PRESENT flag so that the service can verify (or even impersonate) the identity of the user running the client. The client sends requests to the service which then executes them.

    I wrote this in C once to try it out. I have the source code at work which I can send you if you're interested. I don't think all the functions I used have been implemented in the Win32 modules.

    For some time I have wanted to write a module which would perform this kind of automatically-authenticated IPC connection, with variants for different OSes. On some *nix systems there is a SO_PEERCRED socket option to identify a local connection. You can also use a convoluted protocol where the client proves his identity by performing some actions in the file system. But, alas, I haven't gotten around to doing it.

    This style of programming is somewhat more secure than setuid or sudo. E.g. it's less susceptible to manipulation of environment variables. Also, with setuid programs, if you want to use a cryptographic key you have to store it in the file system and hope that file system security and obfuscation protect it. With the authenticated-IPC style, the (trusted) person who starts the process can type in a password once and the key can be kept in memory.

[reply]
Re: suidperl/sudo function-alike on Win32
by Anonymous Monk on Mar 01, 2003 at 19:35 UTC
    A brief Google search for "suid win32 perl" led me to this site (a bit slow-loading, however) for a module named Win32::AdminMisc. Apparently there's a function for "CreateProcessAsUser" and "LogonAsUser", which sound like they do what you need. However, this module doesn't appear to be in CPAN and there's no obvious indication when it was last updated (although by the version number, possibly in 2000?) and therefore no indication of exactly what combos of Perl versions and OSes it'll work with.
[reply]

      Some more Google shows that these are Windows API functions, so you could just write a small XS or Inline::C module that does the trick. That is, if the functions are suitable for you.

      It's not hard, really. I was scared when I did my first XS module to wrap an API function with the least overhead possible, but it was quite easy, given the loads of documentation out there.</>

[reply]
      Unfortunately, the documentation says that any process using LoginAsUser nees "act as part of the operating system" (SeTcbPrivilege). I'm not sure it is wise to grant that priv to all users.

      --traveler

[reply]
Re: suidperl/sudo function-alike on Win32
by grantm (Parson) on Mar 01, 2003 at 00:29 UTC

    Can't you just put all the people who need access, into one group and give that group read/write access?

[reply]
      Yse, but then anyone in the group could mangle the file. Also, virtually all users on the system need access. The file entries are scores. Individuals may want to adjust their or other users' scores for whatever reason. There is not a lot of trust between these users...

      --traveler

[reply]

        OK sorry, my bad for not reading your original post closely enough.

        One 'round the houses' approach would be to use IIS. Start by configuring IIS to disable anonymous access and enable 'Basic Authentication'. Then have your script access a CGI script using LWP and supplying a username/password, eg:

          my $ua = LWP::UserAgent->new()

  my $request = HTTP::Request->new(GET => $cgi_url);

  $request->authorization_basic($username, $password);

  my $response = $ua->request($request);

        [download]

        When the script pointed to by $cgi_url is run, IIS will have arranged for it to be running under the security context of user $username. Furthermore, the security token which results from this type of authentication would allow the CGI process to access files on remote shares - handy if you don't have IIS on the box where the high socre file lives. The URL you requested would presumably include a querystring containing any new data to be written to the file.

        Of course the major drawback of this approach is that the username and password must be available in clear text to your script which means that one of your users could subvert the system if they had access to the source and were determined enough.

[reply]
[d/l]
Re: suidperl/sudo function-alike on Win32
by graff (Chancellor) on Mar 02, 2003 at 21:42 UTC
    Is there a possibility that you could store the file data in a database (e.g. MySql) rather than in a file? If so, this should handle the problem of possible concurrent access by multiple users, and by having just one process that knows the location/login/structure of the database, you have at least that amount of control over the access to the data, as well as reasonable constraints on how the data are updated, etc.
[reply]
      I cannot do that (but would like to). My question is still, how do I keep from having to have the db (MySQL, flat file, etc) be world writable?

      --john

[reply]

        I cannot do that (but would like to). My question is still, how do I keep from having to have the db (MySQL, flat file, etc) be world writable?

        The DB files could be protected so that only the user that the service runs as has write permission. But easier is to set the DB service to start automatically, which means it will start as soon as the machine boots. Which would be before any user can authenticate themselves. The DB would then obtain a lock on the DB file, and since Win32 provides compulsory locking semantics and not advisory locking semantics the files would be effectively locked to anyone other than the DB service.

        Overall there are a number of ways to accomplish what you want. But they wont be the *nix ways, so you might have to look at a different approach. For instance I think you prematurely dismissed (and for reasons that I dont think were correct) the service based approach suggested earlier.

        ---
        demerphq


[reply]
[d/l]

Back to Seekers of Perl Wisdom