GreenWitch has asked for the wisdom of the Perl Monks concerning the following question:

I'm newbe both on the forum and scripting. I'm trying to develop perl script will be used by normal users to copy files from a restricted location using admin id and encrypted password. Any idea, help or sample script is greatly appreciated.

Replies are listed 'Best First'.
Re: perl script to copy files as admin
by graff (Chancellor) on Jul 23, 2009 at 01:20 UTC
    In order for normal users to receive access to restricted files, it must be the case that only certain authorized "normal" users are to be granted this access -- otherwise, the restricted files might just as well be in any old non-restricted location.

    So, if you are managing a list of "authorized normal users", it will be best to have two separate processes: one can be run by normal users and does nothing beyond expressing a request from a normal user to receive one or more restricted files; the other is run only by an admin account, and services these requests from normal users, by checking the authorization list, confirming whether the given user is authorized to receive the requested file(s), and either providing the files or not, depending on what the authorization list says.

    But then, you might also have to worry about how you convey the restricted files to recipients, and whether the recipients have the sense and wherewithal to protect the files from unauthorized exposure to others.

    The one thing you certainly do not want is for normal users to autonomously use some process that allows admin-level access of any sort. That's asking for trouble.

[reply]
Re: perl script to copy files as admin
by salva (Canon) on Jul 23, 2009 at 06:39 UTC
    You can use sudo for that.

    Write an script to perform the copy and configure sudo to let selected users run it as root.

[reply]
[d/l]
      Thank you for the replies, I'm using Windows environment: Actually I used to do this manually using admin ID, here users will not get any access. So my intention is to create a script which will be run by user to do so. I wanted to know is there any scope to use encripted password or compile the script in perl, here is something like: 
      
use File::Copy;

$filetobecopied = "<dir1>\*.*"

$destcopy = "<dir2>";

copy($filetobecopied, $destcopy) or die "File cannot be copied.";

      [download]
      Is ther any scope to user admin id and password? As user can not do any thing else except copying files with this compiled script. Any idea is greatly appreciated.
[reply]
[d/l]

        The copy function of File::Copy can copy only a single file at a time, and it has to be called with a destination file name, not a directory. You could have learned that from the File::Copy documentation.

        If you want to copy more than one file, you need a loop. If you want to copy an entire subtree, you need to recurse into source and destination directories. File::Copy::Recursive can do both, if you RTFM.

        Regarding your privileges problem, you need to start your copy script as a privileged user. Windows has the runas command, and it offers the services infrastructure for a clean separation of a unprivileged user interface and a privileged background service. runas needs the Administrator password at runtime (and you don't want to give it away!), the service way doesn't. Remember that privileges require responsability, so use strict, use warnings, and enable the taint mode (#!perl -T). Verify all input and refuse to work when the input does not match the rules. Using a web server could be a simple workaround, for read accesss to the "restricted location", any web server could do the job, for write access, a WebDAV enabled webserver could do the trick. No need to invent new protocols. Of course, you also could use a file upload form and a CGI for write access.

        Privilege separation can be a real pain under Windows, there are several attempts to clone the common su or sudo utilities, starting with a single batch file and ending with a huge services infrastructure. I still haven't seen any Windows utility as reliable and secure as sudo on Unix.

        Think about your initial problem, or better: Explain it to us. Why do you think you need to to copy files from a restricted location using admin id and encrypted password? If the "restricted location" is the source, just make it world readable, but writeable only for the Administrator account. This can be done using standard Windows access controls. If the "restricted location" is the destination, you are defeating your restrictions, so just drop them and make it world (or group) writeable.

        Alexander

        --
        Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
[reply]
[d/l]
[select]
Re: perl script to copy files as admin
by sflitman (Hermit) on Jul 23, 2009 at 05:59 UTC
    I think the simplest thing to do is to use http and a secured directory. I do this all the time, then tell anyone to point a browser (or wget from the command line) to the secure directory and type in user/pass. You could write a perl one-liner with LWP::Simple to do this fairly easily.

    The apache docs explain this fairly obtusely, so I just use this file in the secured directory: 

    # .htaccess
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
AuthName "Secure Access"
AuthType Basic

<LIMIT GET>
require valid-user
</LIMIT>

    [download]
    and use the htpasswd command to generate the .htpasswd file. The .htpasswd file can be somewhere outside of the web hierarchy for security. This provides some security but is far from perfect; access it over https (although we know that's not perfect either, it's better than http)

    Hope that helps,
    SSF

[reply]
[d/l]
[select]
Re: perl script to copy files as admin
by Anonymous Monk on Jul 23, 2009 at 00:52 UTC
    Any idea, help or sample script is greatly appreciated.

    Give up, its a bad idea :)

[reply]

Back to Seekers of Perl Wisdom