This may be more a linux question then a perl question, but I'm stumped, and don't even have an idea of where to start.
I have a script that is attempting to run/call a program on the system, but is unable to do so because it doesn't have enough privlidges. I'm root on the system -- so I considered changing the program to allow a non-privlidged user to run it, but I'd rather not do so.
The question becomes -- how do I change the user a particular script runs as? Is there an equivalent in perl do typing "su - thisuser" at the prompt?
Thanks in advance for any help ... completely lost. :-\
- Erik
See the manual page of the chmod command for information regarding the setuid bit, which will automatically bump your script up to root (or, more accurately, the owner of the file) whenever it's run. This is what the "s" means in a set of permission flags in a "ls -l" listing.
perlsec has some good information on setuid scripts; you almost certainly want them to run with taint mode on.
This is IMHO bad advice. Firstly it simply won't work for many configurations and secondly suid root and web servers are a dangerous combination - especially if someone needs to have suid explained to them. There are other, safer ways to skin this particular cat.
The original author didn't specify whether it was running on a web server or not - the instance of a CGI script hadn't occurred to me actually. Yes, CGI scripts shouldn't be run suid root.
Perhaps the author could clarify?
Ah, very good point. Don't know why I thought it was a CGI question having just re-read it (can you change root node ins SOPW - I could have sworn it originally said CGI/nobody/apache somewhere). I like jacques answer the best so far ;-)
Everyone has to learn about it for the first time sometime.
Of course they do but hopefully by that stage they have discovered the man pages and/or read a basic book. Of the two objections I raised the first was the fact that you typically can't run suid scripts on a large number of the servers out there without recompiling the kernel to remove that restriction or wrapping the script with a short C execv() function. Have you ever actually tried it?
[user]$ cat test.pl #!/usr/bin/perl print "This is a suid test\n"; [user]$ chmod +s test.pl [user]$ ll rover.pl -rwsr-xr-x 1 user coders 203 Mar 10 02:41 test.pl [user]$ ./test.pl Can't do setuid [user]$ su root Password: [root]# ./test.pl This is a suid test [root]# exit exit [user]$ ./test.pl Can't do setuid $ uname -sr Linux 2.4.18-27.7.xsmp $
cheers
tachyon
Suck it and see. 50% of my wisdom is sucked, 50% is seed.... Somewhere we need to make room for at least 10% attitude and total BS but you get that......
cheers
tachyon
You can use a suid perl/apache but don't do it that way. The best way (IMHO) is to give the web server process permission to execute the program via sudo/sudoers. For example
[root@devel3 log]# cat /etc/sudoers
# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.
# let apache send HUP to squid
apache ALL=NOPASSWD:/home/www/utility/sendHUP.pl
[root@devel3 log]# ll /home/www/utility/sendHUP.pl
-rwxr-xr-x 1 apache coders 1114 Mar 10 02:43 /home/www/utility/sendHUP.pl
[root@devel3 log]# cat /home/www/utility/sendHUP.pl
#!/usr/bin/perl -w
# this script need to be run as root, to do this we add an entry to
# /etc/sudoers so that apache can run it (you edit using visudo)
# visudo -f /etc/sudoers
# add this line
# apache ALL=NOPASSWD:/home/www/utility/sendHUP.pl
# call as system('sudo', '/home/www/utility/sendHUP.pl');
(kill HUP, $PROGRAM) or exit 42;
exit 0;
My webserver runs as apache, but yours may be nobody or something else. What the line in sudoers does is allow apache to *potentialy* run the sendHUP.pl with root privileges. This is required to send (in this case squid) a HUP signal. Note that the actual sendHUP.pl script is not owned by root or suid. It is just a normal script. Note also you need to call this with system( 'sudo', '/some/prog.pl' ) from within your script to execute the program with root privilege.
So by using sudo/sudoers you can limit the webserver to being able to execute as little as a single command/program as root which is better than letting it be able to execute lots of stuff which is quite possible if you go the suid root (route ;-)
cheers
tachyon
Note that you can find out what user Apache runs as by looking in the httpd.conf file (mine's located at /etc/httpd/httpd.conf) and looking for lines like
User www Group wwwObviously Apache runs as www for me.
my ($login,$pass,$uid,$gid) = getpwnam('username');
$) = $gid;
$> = $uid;
#now it should be running as username
This probably won't be applicable in this case but its good to know as an FYI
Scary.
You can set the SUID or equivalent for the group of the script to allow it to run as another user. I'd try to stay away from this as much as possible, but if you do, ALWAYS use tainting checking to verify your input. If your script is a cgi script, consider writing a go-between script elswhere on the system that is SUID and not viewable directly by the webserver.