avo has asked for the wisdom of the Perl Monks concerning the following question:

Dear Monks, I have a mod_perl script which I would like to give permissions to certain root owned files (like /etc/samba/smbpasswd). I can do that with a normal CGI and a C wrapper... but I can't do it if I am using the ModPerl::Registry. Herewith my .htaccess file: 
 
<Files *.cgi>
SetHandler perl-script 
PerlResponseHandler ModPerl::Registry
Options +ExecCGI 
PerlOptions +ParseHeaders
</Files>
Any Ideas will be highly appreciated!
Thanks

Replies are listed 'Best First'.
Re: mod_perl suid
by afoken (Chancellor) on Apr 07, 2009 at 14:53 UTC

    Start an external, privileged helper program.

    Alexander

    --
    Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
[reply]
Re: mod_perl suid
by ikegami (Patriarch) on Apr 07, 2009 at 15:15 UTC

    When using mod_perl, Perl is actually linked into the web server, so your scripts execute inside the web server itself rather than a separate process like CGI. Any permissions would have to be given to the user/group as which apache runs.

    But rather than give the world access to root files, it would be better to parcel off the privileged task to a separate process.

[reply]
Re: mod_perl suid
by locked_user sundialsvc4 (Abbot) on Apr 07, 2009 at 20:33 UTC

    If you did this, you would necessarily give Apache “permission to certain root-owned files,” and that would Not Be A Good Thing™.

    You see, any script run by apache would now have those same privileges! And... you don't want that.

    What you should do, instead, is to arrange for another service-process to be sitting out there, waiting for (say...) a SOAP-request to do certain things. The web-site code issues that request and waits for the response:   apache does not have the privilege to perform this action by itself. Furthermore, the SOAP request should be constructed in such a way that there is some modicum of “authentication,” such that it has some degree of confidence that the request that it receives is actually the one that you intended for it to receive.

    “Never assume... never assume...”

Back to Seekers of Perl Wisdom