Running Web Apps as another user

allyc has asked for the wisdom of the Perl Monks concerning the following question:

Monks,

I am after your wisdom again. I am currently trying to complete a Web Application that will run on a Unix Server.

The Application creates a CPIO archive from a selection of files. I have managed to get the CPIO to function correctly but I now need to delete the files once they have been added into the archive.

The problem is that the webserver (currently Apache 1.3) is running under an account I have created called cm with a group called cm_staff. This user dose not have access to remove the files.

I can’t change the permissions on the file because they are created by a software application we use, with the permissions set to –r-x-r-x—so only the owner can remove / chmod / modify them.

I have done a search and I found several nodes including changing user mid-script which explains about setuid, however it says that there are security issues and that you also have to be root.

Is there any way to change user using a web application so I can remove these files?? I can ask the user for their password, but I cant get the web server to run perl scripts under any other user name.

I have had a look at the code for Webmin for inspiration as it is able to run many things as different users when required, however I don’t understand how it can be done.

The application is currently running on a Linux box with Perl 5.6.1 but will end up on a HP-UX Unix machine.

Could any one point me in the right direction? I see that webmin uses its own Webserver written in perl. Is this the key to how it works?

If not it looks like I might have to use something like Net::FTP to log back into the server with the correct user and delete the files that way however there has to be a better solution than this?

Many thanks for your time.

Alistair

Comment on Running Web Apps as another user

Replies are listed 'Best First'.
Re: Running Web Apps as another user by b10m (Vicar) on May 01, 2004 at 16:02 UTC
Apache's suEXEC might help you. "The suEXEC feature -- introduced in Apache 1.2 -- provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server." -- b10m All code is usually tested, but rarely trusted.	[reply]
Re: Running Web Apps as another user by sgifford (Prior) on May 01, 2004 at 15:57 UTC
I can think of two ways to deal with this. First, use a SetUID program. You have to be very careful doing that; make sure it can only do the one task it needs to do, and is only executable by the Web server software. To do that, create the Perl script as the user you want it to run as, test it out, and when it works change the group to a group only the Web server is in, and set permissions to `u=rxs,g=rx,o=` (AKA `4550`) Or, instead of the Web server actually deleting the files, just have it create a flag file somewhere saying they're ready to be deleted, and have a `cron` job check for flag files periodically, and when it finds them have it delete the files. This is a little bit more complex, but is safer since there's no SetUID program that can be subverted.	[reply]
Re: Running Web Apps as another user by kappa (Chaplain) on May 01, 2004 at 16:18 UTC
You can use `sudo` for this task. You're going to configure `sudoers` file in such a way that your `cm` user which runs webapps gets a permission to run a specific command (`rm /your/stray/files`) as another user, their owner probably. Something like this: `cm webhost = (user) rm /your/stray/files` [download] ...and then executing `sudo -u user rm /your/stray/files` from your script.	[reply] [d/l] [select]
Re: Running Web Apps as another user by allyc (Scribe) on May 12, 2004 at 23:32 UTC
Many Thanks for all of your help on this one! In the end there were to many problems using the SETUID for this project and I didn't have enough time to investigate it more. Instead I am now creating a list of the files that need to be deleted, and then connect to the server with Net::FTP using the required user name. I am then able to CHMOD and Delete the files and Directories. I know its a long way around, but it seems to do the job! Many Thanks again! Alistair	[reply]