Re: Executing a program as another user
by particle (Vicar) on Feb 13, 2002 at 03:59 UTC
|
if available, you should run setuid processing. perl's even built to handle it... see the special variables $< (real user id),
$> (effective user id),
$( (real group id),
$) (effective group id)
i've run a lot of scripts under setuid. it's secure, and it works.
~Particle
| [reply] [Watch: Dir/Any] [d/l] |
|
I can't run setuid as the user as which the script must be run is decided upon dynamically. chmodding every time is impossible since the initial script is a CGI and I would run into race conditions.
| [reply] [Watch: Dir/Any] |
Re: Executing a program as another user
by wog (Curate) on Feb 13, 2002 at 03:31 UTC
|
You could use Expect.pm to have your program communicate with su through a tty. | [reply] [Watch: Dir/Any] |
|
Could you please supply some example? I have trouble simply understanding what Expect.pm is supposed to do. ;)
| [reply] [Watch: Dir/Any] |
|
Well, I guess the CPAN site I pointed to doesn't have really up-to-date documentation... More recent docs for Expect.pm are here,
and would be helpful if you haven't already seen them.
As for examples, the Expect package comes with a bunch of "tutorial" code, which can be seen here.
(Link to web view of CVS; click on the reversion number to view anyone of those docs quickly...)
| [reply] [Watch: Dir/Any] |
Re: Executing a program as another user
by tstock (Curate) on Feb 13, 2002 at 03:54 UTC
|
If you're on a unix system, you could log in as the other user once and setuid the script:
chmod 4755 script_name
I recommend reading perlsec (man perlsec) before doing this.
Tiago | [reply] [Watch: Dir/Any] |
|
The target user is dynamic. Therefore I can't chmod it. I could chmod it every time I run the script, but since the script is a CGI, I would run into race conditions. The task would also be much simpler if the target script to be run as another user wasn't the initial script itself. ;)
| [reply] [Watch: Dir/Any] |
|
take a look at CGIwrap, I think it might fit your needs really nicelly, and would have sugested sooner if I knew you wanted to run the script as a CGI.
http://cgiwrap.unixtools.org/
Good luck,
Tiago
| [reply] [Watch: Dir/Any] |
Re: Executing a program as another user
by vek (Prior) on Feb 13, 2002 at 03:35 UTC
|
You wouldn't have a problem if you just ran your perl program as the other user surely? | [reply] [Watch: Dir/Any] |
|
The initial script is a CGI script and is therefore run as apache.apache.
| [reply] [Watch: Dir/Any] |
|
Ok now I get it. You didn't mention that you were referring to a CGI script. You're right, you shouldn't run any other programs as apache.apache for security reasons.
| [reply] [Watch: Dir/Any] |