Running a CGI Script as user

skazat has asked for the wisdom of the Perl Monks concerning the following question:

hello all,

I am developing an application for administrating htaccess and htpasswd for protected directories via a cgi script, knowing the circumstances, I'm guessing that I need to run the cgi-script as a user and not 'nobody', tho I'm not too clear on how to go about this, perhaps I'll tell you what I know and then you can pick apart at me.

To run as 'user' the perl script has to be chmoded a special way, though I'm not sure exactly what ;/

To run as this special way, you have to make sure the program is untainted, using the -Taint flag, etc.

This seems all in well, and I've already done some research on various CPAN PMs that might comne in handy. This cgi script will most likelty be in its on protected directory, so no worries there.

I think on my main server, we're using suEXEC, so perl scripts have permissions automagically when they need them. I'm not going to have this on the server I'm writing this app for. I also do not have root access to this server,

Are there any pitfalls that you can see?

-justin simoni
!skazat!

Comment on Running a CGI Script as user

Replies are listed 'Best First'.
Re: Running a CGI Script as user by footpad (Abbot) on Jan 07, 2001 at 01:09 UTC
I believe the article that merlyn is trying to remember appeared in the Summer 1998 issue of The Perl Journal. It was called Safely Empowering Your CGI Scripts but you'll need to be a subscriber to view it. Subscriptions cost $18/year and can be obtained online, which isn't too bad, considering that many other journals want a lot more money. There is, apparently some risk that the magazine is on the rocks (see TPJ future in question), but subscriptions allow immediate access to their online archives). Given that $18 is less than half the price of many tech books, it's cheap access to a lot of useful and extremely educational material. If you'd rather not risk the subscription, I notice that Mr. Stein has a package that may help available on his web site; here's the direct link. --f	[reply]
Re: Running a CGI Script as user by merlyn (Sage) on Jan 06, 2001 at 05:06 UTC
Be sure you look at HTTPD::UserAdmin, rather than trying to put a wrapper around the `htpasswd` program, which will require some annoying management of `/dev/tty` in ways that even us experienced hackers dread. Also, Lincoln Stein did a "manage the passwords from the web" script somewhere. Look around for it. Sorry I don't recall better than that. -- Randal L. Schwartz, Perl hacker	[reply]
Re: Re: Running a CGI Script as user by skazat (Chaplain) on Jan 09, 2001 at 02:28 UTC
ok, great! I found his article, and his script here, which, just saved me about a month worth of work, Thanks Lincoln! The only thing I need to do now is redesign the html UI, which kinda looks like some random computer hacker put together (kidding! just a joke..) which is the fun part :) -justin simoni !skazat!	[reply]
Re: Running a CGI Script as user by arturo (Vicar) on Jan 06, 2001 at 04:48 UTC
This isn't really a Perl question, because How to Do It depends on what your HTTP server software is. If it's apache, look into suEXEC. Other than that, there aren't too many pitfalls (unless the user is root =) Running under -T is probably the biggest single thing you can do, as it will help you track down where your code isn't secure enough. You might create a user whose sole permission is to exec the htpasswd binaries, if you're truly paranoid. A different kind of setup you might look into if you don't need instant updates is to have the CGI write to a file, and have a smart cron job running with more privileges handle the actual updating. But again, such pitfalls as exist will depend on your OS and HTTP server. Philosophy can be made out of anything. Or less -- Jerry A. Fodor	[reply]