Permissions for a cgi script

ghenry has asked for the wisdom of the Perl Monks concerning the following question:

Dear Master Monks,

This a quickie, but it's been annoying me for ages and I wanted to find out how everyone does this. It's more a filesystem permission question, but it might be solved with something that I'm not aware of using perl.

I have a cgi cd/dvd backup script, the problem being that I can't create the log files in the directories I want, as they are owned by root. I have added the apache group to them though and made them writeable for apache, but that doesn't work. I use sudo, without a password prompt for the burning of the CD/DVD etc.

Is this simpliest way just to make a new directory that is completely owned by apache?

P.S. There are a few tests missing from this too, I know.

Thanks

CGI Script:

#!/usr/bin/perl -T

use strict;       
use warnings;          
require 5;             
$|++;                  
use CGI;                  
use CGI::Carp qw(fatalsToBrowser); 
use Mail::Sendmail;        
use POSIX qw(strftime);    

# For safe ENV 
$ENV{PATH} = '/bin:/usr/bin';

my $to           = 'ghenry@perl.me.uk, info@domain.org.uk';
my $from         = '"Support Services" <support@perl.me.uk>';
my $time         = localtime;
my $date         = strftime '%d.%m.%y', localtime;
my $hostname     = 'server';
my $page         = new CGI;
my $speed        = '32';
my $imagefile    = "/server-$date.iso";
my $imagedir     = '/opt/backups';
my $defaultdir   = '/files';
my $contentsfile = 'contents.txt';
my $device       = '/dev/hda';
my $logdir       = '/opt/logs';

print
$page->header(),
$page->start_html(
                -title=>'Backup Progress....',
                -author=>'Gavin Henry',
                -style=>'/bottom.css',
);

print '
<script language="JavaScript">
var x=window.confirm("Are you sure you want to run the backup to CD/DV
+D?")
if (!x)
    window.location="http://hidded_hostname/cgi-bin/swish.cgi"
</script>
<div id="page">
<h3>CD/DVD Backup starting....</h3>
<h3>Please be patient, as this will take a long time.</h3>
<pre>';

# Move into the backup dir
chdir "$imagedir" 
    or die "Either that directory doesn't exist or I can't get into it
+: $!\n";

# Create a "table of contents" file.
!system "sudo ls -lRF $defaultdir > $defaultdir/$contentsfile" 
    or die "I don't have write permission on $defaultdir,so I can't cr
+eate $contentsfile!\n\n Moving on....\n";

# The "l" option gives a "long" file listing.
# The "R" option makes the listing recursive.
# The "F" option marks the file types (directories get a trailing /).

print "Creating ISO9660 file system image ($imagefile).\n";
!system "sudo mkisofs -J -l -R -V srv-$date -o $imagefile $defaultdir"
    or die "I can't create the image.\n";

# Wipe the inserted CDRW
# echo "Blanking current CDRW"
# cdrecord blank=fast dev=$DEVICE

# Burn the CDRW.
if (-s "$imagefile" < 700_000_000 and -e "$imagefile") {
    print '<script language="JavaScript">
        var x=window.confirm("Is there a CD/DVD in the drive?")
        if (!x)    
            window.location="http://hidden_hostname/cgi-bin/swish.cgi"
        </script>';
          print "\n\nISO not too big and exists. \nBurning the CDRW.\n
+\n"    
         ."\nPlease be patient, this will take a while...\n\n";
          !system "sudo cdrecord -v -eject dev=$device $imagefile"    
+     or die "There must be something wrong with the CD/DVD or there i
+s no CD in the drive.\n \n\nBackup failed.";

    print '<script>
        window.alert("Backup complete!")
        </script>';

        # create success logfile
        open LOG, ">>$logdir/cdbackup-success-$date.log"
          or die "Cannot create logfile: $!";
        print LOG
        "CD/DVD backup successful on $time for $hostname.\n\n"
        close LOG;

    #send success e-mail
    my %mail_success = (
        To      => "$to",
        From    => "$from",
        Subject => "CD/DVD backup complete on $hostname on $time",
        Message => "CD/DVD backup has been a success on $hostname on $
+time\n\n"
                ."Backup Solution brought to you by Gavin Henry.\n\n"

    # Delete created image
    unlink $imagefile
    or die "I can't delete the CD/DVD image: $!\n";
    );
    sendmail(%mail_success);
          
    print "\<h3\>CD/DVD Backup complete on $time for $hostname.\<\/h3\
+>"
          ."\<p\>E-mail sent with details.\<\/p\>"
          ."\<p\>Logfile also created in $logdir on $time.\<\/p\>"
          ."\<\/div\>";

    $page->end_html();
    exit 0

} else {
    # print messages to screen
    print "Oops! The ISO file is way too big. You need a DVD disc, not
+ a CDRW: $!\n";    

    # create failed logfile
    open LOG, ">>$logdir/cdbackup-failure-$date.log"
      or die "Cannot create logfile: $!";
    print LOG
        "CD/DVD backup has failed on $time for $hostname.\n\n"
         ."There must be something wrong with the CD/DVD media: $!\n"
    close LOG;

    #send failure e-mail
        my %mail_failure = (
            To      => "$to",
            From    => "$from",
            Subject => "CD/DVD backup failed on $hostname on $time",
            Message => "CD/DVD backup has failed on $hostname on $time
+\n\n"
        );
        sendmail(%mail_failure);

    # Failure message
    print "\<h3\>CD/DVD Backup failed on $time for $hostname.\<\/h3\>"
      ."\<p\>E-mail sent with details.\<\/p\>"
      ."\<p\>Logfile also created in $logdir on $time.\<\/p\>"
      ."\<\/div\>";

    $page->end_html() ;
    exit 0
}
[download]

Gavin.

Walking the road to enlightenment... I found a penguin and a camel on the way.....
Fancy a yourname@perl.me.uk? Just ask!!!

Comment on Permissions for a cgi script Download Code

Replies are listed 'Best First'.
Re: Permissions for a cgi script by eXile (Priest) on Apr 19, 2005 at 14:35 UTC
normally for apache to be able to write to a directory this directory has to be writable+executable by the user the apache process runs as, look at the output of 'ps' on unix, for example `ps -Ao user,group,command` will give you username,groupname and commands of all running commands on your machine. If your apache runs as user 'nobody', you can make a directory writable+executable by nobody and apache should be able to write there. So: `mkdir -p /some/dir chown nobody /some/dir chmod 700 /some/dir` [download] Will create a dir that is exclusively readable/writable by 'nobody'. The 'read' permission is not strictly necessary but normally is quite handy.	[reply] [d/l] [select]
Re: Permissions for a cgi script by zentara (Cardinal) on Apr 19, 2005 at 13:07 UTC
Any directory apache writes to, must be 777 (world-writable), since anyone in the world may be running the script. You could run apache with suexec. Place the script in /home/user/public_html/cgi-bin, then apache will run with the permissions of the owner of that home directory (usually 700). So how about making a user called 'backup' and run the script out of backup's homedir's cgi-bin? Then the httpd daemon will be able to make directories in backup's homedir. If you want to make a new directory, completely owned by apache, you have to be root, then su to apache, then make the directory. Sudo may be able to do this, but it sounds risky if running thru cgi. Your best bet is to use "suexec". If you don't know how suexec works, just google for it. It comes with apache, and if it is found in the path when apache starts, it will automatically be enabled, and anything run in a home directory's public_html, will be run as "user::users", instead of "nobody::nogroup" (or other lowest permissions). Most people who want to do something like this, would not use cgi, and would use SSH instead, which would be much more secure. I'm not really a human, but I play one on earth. flash japh	[reply]
Re^2: Permissions for a cgi script by eXile (Priest) on Apr 19, 2005 at 14:52 UTC
New directories can be made by apache if the user apache runs as, has the correct permissions to write to the directory (so 'rwx'), please read something like this doc on filepermissions for a brief review on unix file permissions. Using suEXEC is discouraged in the docs describing it, if you are not familiar with setuid scripts and such, so I wouldn't recommend that to somebody asking about filepermissions ....	[reply]
Re^3: Permissions for a cgi script by zentara (Cardinal) on Apr 19, 2005 at 18:20 UTC
*Using suEXEC is discouraged in the docs describing it*. I don't run a shared ISP, so I can't be absolutely positive, but it seems every Server account that I've ever had, used suexec. I get a public_html directory, and when I connect, I am running as the owner of that home directory. Now I must admit, that maybe they work some magic the "virtual hosts configuration", to let apache run as user in a homedir, without suexec, but it sure acts like suexec. This link shows apache running as zentara, not nobody. But in any event, trying to do backups to cd/dvd, through a cgi script is NOT a good idea. SSH should be used. Well maybe if he is using https with some sort of access restriction, he could get away with it. Since the OP is talking about sudo'ing to root, to make his cd's, he must have a dedicated remote server, so there should be no problem with him using ssh. I'm not really a human, but I play one on earth. flash japh	[reply]