Re: Re: Faster way to do su

I think we may be talking past each other. I just told Flectch why sudo is a bad idea (Re: Re: Faster way to do su). Sadly that was about 1 hour after you and he suggested it. That would be my bad in failing to provide enough information.
I am confused as to why you think I need the root password stored somewhere. I have got su - expecting to be prompted for a password about 5 lines in..... My best guess is that you figured, why would anyone be using several su - processes for multiple users unless he/she had root on the box. In which case, since as root there is no password required, it is much simpler.
Any thoughts as to a more 'pure perl' way of doing it from user nobody (who can really only get a shell through perl).

jcpunk

all code is tested, and doesn't work so there :p (varient on common PM sig for my own ammusment)

Comment on Re: Re: Faster way to do su Select or Download Code

Replies are listed 'Best First'.
Re: Re: Re: Faster way to do su by Fletch (Bishop) on Apr 16, 2004 at 23:33 UTC
Ahhh; the code watching for a password prompt from `su` was giving the impression you weren't root already. If you just need to switch to a different user and you're already root then just fork, set `$<` to the uid of the user in question (or call `POSIX::setuid`), and exec the script which does the real work. Update: OK, reading again it looks like it is `nobody` that'll be running this. Again, I'd see no problems with a `sudo` config which allows `nobody` to run one specific script which immediately drops to the user UID and execs another specific script to do the actual work. If you were truly paranoid you'd write a minimalist wrapper in C and make that suid root (if you're really, really paranoid you'll snip the cat5 and be done with it . . . :). Another possibility: use `suexec` to run this one CGI as another not-`nobody` unpriviledged account which is allowed to `sudo` to the desired user and run the real work.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Re: Re: Faster way to do su
by Fletch (Bishop) on Apr 16, 2004 at 23:33 UTC

Ahhh; the code watching for a password prompt from su was giving the impression you weren't root already.

If you just need to switch to a different user and you're already root then just fork, set $< to the uid of the user in question (or call POSIX::setuid), and exec the script which does the real work.

Update: OK, reading again it looks like it is nobody that'll be running this. Again, I'd see no problems with a sudo config which allows nobody to run one specific script which immediately drops to the user UID and execs another specific script to do the actual work. If you were truly paranoid you'd write a minimalist wrapper in C and make that suid root (if you're really, really paranoid you'll snip the cat5 and be done with it . . . :).

Another possibility: use suexec to run this one CGI as another not-nobody unpriviledged account which is allowed to sudo to the desired user and run the real work.

[reply]
[d/l]
[select]