Home > Archive > PERL CGI Beginners > February 2005 > cgi scripts as root or similar - best method
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
cgi scripts as root or similar - best method
|
|
| Gavin Henry 2005-02-25, 8:55 am |
| Dear all,
I have a working cgi script, well from the commandline.
I haven't enabled -T, but that will be next.
I am using $|++ and CGI::Carp to get things to stdout etc. and show me
errors.
All the script does is creates an ISO file, writes a log and burns the CD
with some Javascript quesions to ask if the user wants to continue.
I could paste the code, but I don't think it's relevant to my question.
What the problem is, is that the ISO and log file are to be saved in non
apache2 owned directories and cdrecord needs to be run as root.
I have tried changing the group ownership of these dirs and chmod 775 for
them, but apache2 still can't write to them.
I have looked into suexec, but I am not running VirtualHosts and I have
tried just making the scripts setuid, but apache2 won't run them then.
I have seen suidperl, but I am not sure what it does.
Basically I have tried everything I know at present, read all the perlfaq9
and relevant CGI FAQ etc.
Does someone with more experience have any tips, as I am now at a loss.
Thanks.
--
Just getting into the best language ever...
Fancy a yourname@perl.me.uk? Just ask!!!
| |
| Paul Archer 2005-02-25, 3:55 pm |
| Are you sure that cdrecord needs to run as root? You might check into
changin permissions on the device itself. Or if this is a trusted
machine/environment (I assume it is, 'cause most people don't write web apps
to burn CDs), then you could suid cdrecord itself as root. Be sure you
understand the security implications of doing that.
Paul
10:08am, Gavin Henry wrote:
> Dear all,
>
> I have a working cgi script, well from the commandline.
>
> I haven't enabled -T, but that will be next.
>
> I am using $|++ and CGI::Carp to get things to stdout etc. and show me
> errors.
>
> All the script does is creates an ISO file, writes a log and burns the CD
> with some Javascript quesions to ask if the user wants to continue.
>
> I could paste the code, but I don't think it's relevant to my question.
>
> What the problem is, is that the ISO and log file are to be saved in non
> apache2 owned directories and cdrecord needs to be run as root.
>
> I have tried changing the group ownership of these dirs and chmod 775 for
> them, but apache2 still can't write to them.
>
> I have looked into suexec, but I am not running VirtualHosts and I have
> tried just making the scripts setuid, but apache2 won't run them then.
>
> I have seen suidperl, but I am not sure what it does.
>
> Basically I have tried everything I know at present, read all the perlfaq9
> and relevant CGI FAQ etc.
>
> Does someone with more experience have any tips, as I am now at a loss.
>
> Thanks.
>
>
> --
> Just getting into the best language ever...
> Fancy a yourname@perl.me.uk? Just ask!!!
>
> --
> To unsubscribe, e-mail: beginners-cgi-unsubscribe@perl.org
> For additional commands, e-mail: beginners-cgi-help@perl.org
> <http://learn.perl.org/> <http://learn.perl.org/first-response>
>
>
------------------------------------------------------------
"They're willing to kill people. That makes them dangerous."
--News announcer, about South American drug lords
------------------------------------------------------------
| |
| Chris Devers 2005-02-25, 3:55 pm |
| On Fri, 25 Feb 2005, Gavin Henry wrote:
> [...] the problem is [...] cdrecord needs to be run as root.
I assume cdrecord is being invoked from a system command, right?
Have you considered prefixing that command with `sudo`, and going into
the sudoers file to allow the www user that privilige?
Of course, it would be a bit more complicated than that, as sudo will
prompt for a password that you have to pass back to it somehow, but
after hurdle that I suspect that it should work fine...
Alternatively, have you considered using Webmin? Webmin is a way to do
various system administration tasks through a web browser, and there
appears to be a cdrecord based plugin for it:
<http://kgolding.co.uk/cd2iso.php>
Webmin site:
<http://webmin.com/>
The Book of Webmin (not pirated -- it's at the author's site):
<http://www.swelltech.com/support/webminguide/>
This may be an easier approach to the problem...
--
Chris Devers
| |
| Wiggins d'Anconia 2005-02-25, 3:55 pm |
| Chris Devers wrote:
> On Fri, 25 Feb 2005, Gavin Henry wrote:
>
>
>
>
> I assume cdrecord is being invoked from a system command, right?
>
> Have you considered prefixing that command with `sudo`, and going into
> the sudoers file to allow the www user that privilige?
>
> Of course, it would be a bit more complicated than that, as sudo will
> prompt for a password that you have to pass back to it somehow, but
> after hurdle that I suspect that it should work fine...
>
[snip]
You can use the 'NOPASSWD' flag in the sudoers file for a particular
command/alias, etc. so that the user does not have to enter a password.
man sudoers
http://danconia.org
| |
| Thomas Bätzler 2005-02-25, 3:55 pm |
| Chris Devers <cdevers@pobox.com> suggested:
> Have you considered prefixing that command with `sudo`, and
> going into the sudoers file to allow the www user that privilige?
>
> Of course, it would be a bit more complicated than that, as
> sudo will prompt for a password that you have to pass back to
> it somehow, but after hurdle that I suspect that it should
> work fine...
From "man sudoers":
By default, sudo requires that a user authenticate him or herself
before running a command. This behavior can be modified via the
NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default
for the commands that follow it in the Cmnd_Spec_List.
Conversely, the PASSWD tag can be used to reverse things. For example:
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm
as root on the machine rushmore as root without authenticating himself.
HTH,
Thomas
|
|
|
|
|