My situation:
I've put some code together on a Debian Linux (mostly-)potato box that runs primarily as a web-based app, but also has a command-line print utility. Its configuration includes a database password, so I put the config into a file under /etc with permissions 0640 owned by me.www-data.
The problem, of course, is that, although this works fine for apache running it, the command-line utility isn't able to read the config when run by mortal users. I could add the users who need access to group www-data so they can read it, but, well, that would be the wrong solution and I don't want them to be able to read the file directly anyhow.
The obvious solution, then, was to change the ownership of the command-line script to group www-data and make it sgid.
The obvious solution doesn't work. With sgid set, everyone except root gets "Permission denied." when they try to execute the print utility. Changing the #!/usr/bin/perl to point at suidperl instead produces the error "Script is not setuid/setgid in suidperl" if the script is not sgid and "Permission denied." if it is sgid. (After trying this, I found a node here saying not to try running suipdperl directly, so I've undone that and am just mentioning it for completeness.)
So, what do I need to do to make this work without adding all users of the command-line utility to group www-data or making the config file world-readable?
In reply to Getting perl code to run sgid by dsheroh
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |