Gangabass has asked for the wisdom of the Perl Monks concerning the following question:

Hi, Monks!

I have file permission issue then working from CGI script: i need to create/delete/change files that are in the DOCUMENT_ROOT (and it subfolder).

How i can temporary switch to another user to make this actions?

Replies are listed 'Best First'.
Re: Modification of files from CGI script
by graff (Chancellor) on Aug 21, 2007 at 05:20 UTC
    Some of these issues may depend on the OS that is running the web server... the following points are valid for unix-like systems.

    If the web-server user account does not have write access on the DOCUMENT_ROOT directory (and if you don't have the ability to change that), then you can't use a CGI script to create, rename or delete files there. If a file exists and the web-server user account has write access on that, it can modify that file's contents (e.g. open for read/write access, or open once to read it, close it, and open it again to write it). But then you need to pay attention to file locking, so that concurrent web clients don't mess things up by trying to modify the same file at the same time.

    If you (as "normal" login user) can create a directory in DOCUMENT_ROOT, you should be able to control the group ownership and permissions on that directory so that your CGI script (running under the web-server user account) can create, delete, rename, and modify files at will in that directory. Even there, you need to be careful about how the CGI script sets up file names, opens files for i/o, etc -- taint checking is a must.

    In general, limiting that sort of CGI activity to a specific subdirectory is cleaner, safer, and easier to maintain. Meanwhile, setting up a CGI script that does a "setuid" (change user identity) to circumvent standard protections on the DOCUMENT_ROOT directory is a bad, risky, messy idea. It might be doable (probably requires some root/sysadmin intervention), but I would strongly advise avoiding that approach.

[reply]
      If I'm not mistaken, a lot of that can be accomplished by proper configuration of an .htaccess file if you are using Apache. However, WebDev has never been my strongest point. Regardless of whether you are running a script locally or as cgi on a web server, graff's point about file locking is very important. Any access to shared resources need to be controlled properly or you will have issues.
[reply]
        I'm not big into web dev either, but I've never heard of being able to control that via .htaccess before (and allowing suid to any user other than the owner of the .htaccess file to be configured that way has obvious security problems). Apache does, however, have suexec, which I believe causes scripts to run suid as their owner. AFAIK, suexec is the only way for CGI/etc. scripts to run as a user other than the apache user.
[reply]
Re: Modification of files from CGI script
by Gangabass (Vicar) on Aug 23, 2007 at 10:27 UTC

    Hi again!

    I have one idea. And want to hear your opinion about it

    As you remember i need to change files on the Web server from CGI script. But this machine also have FTP server!

    What you think about connecting to the FTP server on the same machine (with user account which has enough rights) and changing files on FTP? Is this possible?

[reply]

Back to Seekers of Perl Wisdom