Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: Security, root and CGI?

by papidave (Monk)
on Jan 30, 2009 at 12:58 UTC ( #740156=note: print w/ replies, xml ) Need Help??


in reply to Security, root and CGI?

Sudo is a beautiful thing. But, like any powerful tool, it must be used wisely.

I find it most useful to wrap specific tasks (in Perl, naturally) with taint-safe code that restricts what can be done. Then, you grant sudo access only to that script -- not the system utilities it invokes. Since you're running through a web server, sudo access must be granted to the account under which that web server runs, not the account under which the user has been authenticated.

As far as authentication goes, I don't think you need to do it more than once -- if the user as originally authenticated had a role with additional privileges, he or she can do the advanced tasks. If not, access denied. That said, you might want to include a confirmation dialog for tasks that are somewhat risky -- like rebooting a production server.


Comment on Re: Security, root and CGI?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://740156]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (4)
As of 2014-09-16 03:35 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite cookbook is:










    Results (155 votes), past polls