Re: setuid scripts

To make this short and sweet, you want to look into 'suidperl' or sperl. This allows for the script to be run securly (unless -U is specified) while changing the effective user id of the process it will run under. You dont really need to set somthing 777 to modify a file, having user write permissions or group write permissions should be the way to go. I dont think making somthing setuid in this case would be a good idea, unless you want multiple users in multiple groups (still you should just add them to a central group that has permission to write to that specified file)to have access to that file.

having somthing setuid is usually somthing that is done for giving rights to things that a normal user shouldnt usually have rights to. (IE icmp using ping or somthing). Though sperl does provide a good basis for "not messing up and keeping it secure", there will always be that mist of air that screams "security hole"

-cleen

Comment on Re: setuid scripts

Replies are listed 'Best First'.
RE: Re: setuid scripts by norm (Initiate) on Jul 08, 2000 at 04:01 UTC
My idea was that it would be a better way of making a CGI script able to create/modify some files, without making it so that anyone could modify those files, at least not without using the script. oren	[reply]
RE: RE: Re: setuid scripts by cleen (Pilgrim) on Jul 08, 2000 at 04:07 UTC
If this is a cgi script, then Im guessing this script will be executed by the user who owns the httpd process right? Then why not make it so the httpd process has the proper rights to that file, and nobody else?	[reply]
RE: RE: RE: Re: setuid scripts by le (Friar) on Jul 08, 2000 at 11:52 UTC
Yes CGI scripts are executed as the httpd user (mostly nobody, or www, depends on configuration). But most of the time, suid scripts need root privileges, and it's really a bad idea to have httpd run as root.	[reply]
RE: RE: RE: RE: Re: setuid scripts by cleen (Pilgrim) on Jul 08, 2000 at 12:06 UTC
RE: RE: RE: RE: RE: Re: setuid scripts by le (Friar) on Jul 08, 2000 at 12:52 UTC
Some notes below your chosen depth have not been shown here
RE: Re: setuid scripts by Anonymous Monk on Jul 27, 2000 at 00:48 UTC
I'm trying to do exactly what you say this might be used for (icmp using Net::Ping). I'm having trouble finding any documentation about setuid, suidperl or sperl. I'm running on an NT box and I suspect that matters. Thanks for any help you can provide. Henry Hartley	[reply]
Win32 Net::Ping("icmp") -- RE: setuid scripts by tye (Sage) on Jul 27, 2000 at 01:21 UTC
Windows (not even WindowsNT) doesn't have Set-UID. The closest thing is probably LogonUser() followed by CreateProcessAsUser(). Though, this requires that you stash an unencrypted password somewhere and already have some special privileges, which makes it both less useful and a worse security risk than SUID (which is already a big security risk). But that doesn't matter because WindowsNT doesn't require you to have privileges in order to send ICMP packets. You just have to know how to use the advanced socket interfaces. Net::Ping just incorrectly assumes that only VMS is this way. Just comment out the line: `croak("icmp ping requires root privilege") if ($> and $^O ne 'VMS');` [download] and Net::Ping can do ICMP pings under WindowsNT just fine! Gee, I wish I'd know the fix was that easy a long time ago!.	[reply] [d/l]
RE: Win32 Net::Ping("icmp") by Anonymous Monk on Jul 27, 2000 at 17:42 UTC
Thanks. I removed that line but it didn't seem to help. Anything else that might cause the problem? My code is basically: my $p = Net::Ping->new(); foreach my $host (@host_array) { print "$host is "; print "NOT " unless $p->ping($host, 2); print "reachable.\n"; } $p->close(); and if fails on the print "NOT " line. Is there some way to have Ping.pm report where it is dying?	[reply]