|Syntactic Confectionery Delight|
CGI accessing sensitive framework?by Anonymous Monk
|on Jun 01, 2012 at 18:36 UTC||Need Help??|
Anonymous Monk has asked for the
wisdom of the Perl Monks concerning the following question:
Hey, Perl monks!
I have a question concerning security.
I have a number of CGI scripts running as user "apache" which all need to call different parts of a framework which is severely restricted to only certain users through both file and directory permissions. The solution I have implemented is a poor hack where I have written simple driver scripts which call into the framework for the specific information needed. I have granted these CGI scripts sudo access to only these simple drivers, and capture their output in temporary files which the CGI scripts then parse.
I would like to do something better, but the "apache" user is limited for good reasons, so playing sudo games is the best solution I have come up with to date. I've contemplated playing UID games, but does this then circumvent all restrictions on the "apache" user? I'm not sure I can grant that kind of access anyways.
So, I'm at a loss. Is there a better approach than writing a number of driver stubs which can access the framework without resorting to creating temporary files?