wolfger has asked for the wisdom of the Perl Monks concerning the following question:

I'm writing a CGI user interface for starting/stopping system processes (other programs written by my group) on an AIX box. Mostly I am doing this by using backticks to call Korn shell scripts. I am having problems, though. Commands that work fine on the command line are not working the same from within Perl. One thing I noticed is that my command line username (mptsuser) is different that my CGI username (dcxhttpd). On top of being a potential reason why some commands refuse to execute properly, it adds another layer of trouble in that if the website goes down and my group needs to kill a running process, it can't. We can only log in as mptsuser, and the only way to kill a process started by dcxhttpd is for dcxhttpd (or root) to do it.

So I guess my question is, "how can I have my CGI run processes as though it were mptsuser?"

--
Linux, sci-fi, and Nat Torkington, all at Penguicon 3.0

Replies are listed 'Best First'.
Re: CGI: A Tale of Two Usernames
by gaal (Parson) on Dec 16, 2004 at 15:05 UTC
    Look into sudo (CPAN has a Sudo module, too).
[reply]
[d/l]
      After installing Sudo.pm I get an error 
      wcma $ perl -e 'use Sudo'
Base class package "Class::Accessor" is empty.
        (Perhaps you need to 'use' the module which defines that packa
+ge first.) at Sudo.pm line 4
BEGIN failed--compilation aborted at Sudo.pm line 4.
Compilation failed in require at -e line 1.
BEGIN failed--compilation aborted at -e line 1.

      [download]

      --
      Linux, sci-fi, and Nat Torkington, all at Penguicon 3.0
[reply]
[d/l]
        You need to install Class:Accessor too.

        How did you install Sudo? If you just used the standard CPAN way of installing it, it should have brought in the dependency for you. If it didn't, this is probably a bug in the module's spec, and you should contact the maintainter (or better, open a bug in http://rt.cpan.org).

[reply]
[reply]
Re: CGI: A Tale of Two Usernames
by gellyfish (Monsignor) on Dec 16, 2004 at 15:08 UTC

    You can use a setuid wrapper such as CGIwrap, or, if you are using the Apache web server, the SUexec facility of the webserver.

    /J\

[reply]
Re: CGI: A Tale of Two Usernames
by blahblahblah (Priest) on Dec 17, 2004 at 02:29 UTC
    A couple of alternatives ideas:

    1. Run the web server as mptsuser. If you can't change this webserver, maybe you can install another apache for yourself on a different port.
      or
    2. Write a perl script that is run as mptsuser by cron once a minute. Change your cgi script so that it creates a file telling the cron script what to do. If the one minute delay is bad, put a loop in your cron script so that it sleeps for a few seconds and checks for the file, repeating until just under a minute has passed.

[reply]
      I only wish I had such privelages on this box... And I wish we were using Apache instead of Websphere!
      Thanks for the suggestions, anyhow. I already decided on a course of action similar to #2. Since this CGI was already making a socket connection to another server to check on some process statuses, I decided to just run a second socket connection to a script running on mptsuser on 127.0.0.1 so that mptsuser can launch whatever the CGI tells it to. Maybe not the best solution, but the only one (so far) that doesn't make me dependant on somebody else doing what I want (or increasing my permissions) in a timely fashion this close to the holidays...

      --
      Linux, sci-fi, and Nat Torkington, all at Penguicon 3.0
[reply]
Re: CGI: A Tale of Two Usernames
by mkirank (Chaplain) on Dec 17, 2004 at 07:44 UTC
    If you want apache to run as a different user , there is an option in httpd.conf
    User <username>
    Group <groupname>
    . Also read the documentation carefully about the security implications when using sudo.
[reply]

Back to Seekers of Perl Wisdom