You can use a suid perl/apache but don't do it that way. The best way (IMHO) is to give the web server process permission to execute the program via sudo/sudoers. For example
[root@devel3 log]# cat /etc/sudoers # sudoers file. # This file MUST be edited with the 'visudo' command as root. # See the sudoers man page for the details on how to write a sudoers f +ile. # let apache send HUP to squid apache ALL=NOPASSWD:/home/www/utility/sendHUP.pl [root@devel3 log]# ll /home/www/utility/sendHUP.pl -rwxr-xr-x 1 apache coders 1114 Mar 10 02:43 /home/www/util +ity/sendHUP.pl [root@devel3 log]# cat /home/www/utility/sendHUP.pl #!/usr/bin/perl -w # this script need to be run as root, to do this we add an entry to # /etc/sudoers so that apache can run it (you edit using visudo) # visudo -f /etc/sudoers # add this line # apache ALL=NOPASSWD:/home/www/utility/sendHUP.pl # call as system('sudo', '/home/www/utility/sendHUP.pl'); (kill HUP, $PROGRAM) or exit 42; exit 0;
My webserver runs as apache, but yours may be nobody or something else. What the line in sudoers does is allow apache to *potentialy* run the sendHUP.pl with root privileges. This is required to send (in this case squid) a HUP signal. Note that the actual sendHUP.pl script is not owned by root or suid. It is just a normal script. Note also you need to call this with system( 'sudo', '/some/prog.pl' ) from within your script to execute the program with root privilege.
So by using sudo/sudoers you can limit the webserver to being able to execute as little as a single command/program as root which is better than letting it be able to execute lots of stuff which is quite possible if you go the suid root (route ;-)
cheers
tachyon
In reply to Re: Can the user a script runs as be changed?
by tachyon
in thread Can the user a script runs as be changed?
by theAcolyte
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |