Beefy Boxes and Bandwidth Generously Provided by pair Networks Joe
Syntactic Confectionery Delight
 
PerlMonks  

CGI accessing sensitive framework?

by Anonymous Monk
on Jun 01, 2012 at 18:36 UTC ( #973836=perlquestion: print w/ replies, xml ) Need Help??
Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hey, Perl monks!

I have a question concerning security.

I have a number of CGI scripts running as user "apache" which all need to call different parts of a framework which is severely restricted to only certain users through both file and directory permissions. The solution I have implemented is a poor hack where I have written simple driver scripts which call into the framework for the specific information needed. I have granted these CGI scripts sudo access to only these simple drivers, and capture their output in temporary files which the CGI scripts then parse.

I would like to do something better, but the "apache" user is limited for good reasons, so playing sudo games is the best solution I have come up with to date. I've contemplated playing UID games, but does this then circumvent all restrictions on the "apache" user? I'm not sure I can grant that kind of access anyways.

So, I'm at a loss. Is there a better approach than writing a number of driver stubs which can access the framework without resorting to creating temporary files?

Comment on CGI accessing sensitive framework?
Re: CGI accessing sensitive framework?
by pemungkah (Priest) on Jun 01, 2012 at 18:41 UTC
    One option would be to run a daemon that has the privileges that are needed, and communicate with it via Unix sockets. That way the Apache user only has the privileges it needs, and the daemon the ones it needs.
[reply]
Re: CGI accessing sensitive framework?
by Illuminatus (Curate) on Jun 01, 2012 at 20:29 UTC
    Not really a perl question, but... apache has all sorts of configuration for specific user authentication. If you use apache's authentication properly, I don't see why you can't allow access as the user you just authenticated. If you don't have permission to change the apache configuration, then that's another story

    fnord

[reply]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://973836]
Approved by ww
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (17)
As of 2013-05-20 17:51 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best material for plates (tableware) is:









    Results (417 votes), past polls