I get a very vague idea of what you are trying to tell us you want to achieve: Do you want a webservice to run a perl script as root using sudo without granting, through that webservice, root privileges to the perl interpreter so that it can run any other program as root too?
If that's what you want, then how about embedding perl and hardcoding your perl script within a C program and granting that program the root privilege. In other words you have created an executable which contains a perl interpreter BUT will interpret only the script you hardcode in the C program and nothing else. At least that's the idea -- I am not an expert on security though.
Here is an example C program (skeleton for it is at: perlembed) -- WARNING: to demonstrate root privilege passed on to perl's system(), this program touches the file 'xyz' in current dir, possibly as root if you sudo it.:
// cc -o embed_example embed_example.c `perl -MExtUtils::Embed -e ccop +ts -e ldopts` #include <EXTERN.h> #include <perl.h> static PerlInterpreter *my_perl; int main (int argc, char **argv, char **env) { char *embedding[] = { "", "-e", "0", NULL }; PERL_SYS_INIT3(&argc,&argv,&env); my_perl = perl_alloc(); perl_construct( my_perl ); perl_parse(my_perl, NULL, 3, embedding, NULL); PL_exit_flags |= PERL_EXIT_DESTRUCT_END; perl_run(my_perl); eval_pv( // here is the mock script: "my $a = 12; print \"a=$a\n\";" "system('touch xyz; ls -al xyz');" "print 'iam: '.(getpwuid $<).\"\n\";" , TRUE ); perl_destruct(my_perl); perl_free(my_perl); PERL_SYS_TERM(); }
In my OSX, sudo'ing the above executable will create file xyz with root as owner. Replace mock script with your own perl script.
Edit: I changed the mock script to show uid
bw, bliako
In reply to Re: Modern and Robust Module for privilege separation Linux
by bliako
in thread Modern and Robust Module for privilege separation Linux
by Thenothing
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |