Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

I've had/have the same problem. I once hacked on an application that simply runs the CGI as suid and switches back and forth between root and a less privileged user as required. I suppose webmin might fall under that description. Sometimes it's difficult to setup on different systems, but for the most part it's simple and it works, provided you trust your CGI code and what it's doing. You can get a performance boost using Persistent Perl (Speedy CGI), but it also puts the application at odds with mod_perl so it could never run it under mod_perl.

When started to build my own CGI applications I didn't want to mess with full suid run-as-root privileges so my approach to the problem was to create separate runs-as-root suid scripts that do small and defined tasks and leave the CGI scripts to run with what limited access they get from the web server. When the CGI needs to do a run-as-root operation, it executes the run-as-root script passing parameters in the command line, soaking up output from the run-as-root script as return data. One of the parameters passed, is the session id of the CGI script. If the run-as-root can't verify the session id, it simply returns without doing anything.

Splitting the CGI and run-as-root sides into separate scripts offers a lot of flexibility (I think) for how you run the CGI side. But I don't think it's any more secure than a single suid CGI script doing it all. Ultimately, you still depend on the CGI side not doing something stupid with your run-as-root script. I like to think that there's some benefit to be gained by keeping the run-as-root code as small as possible so it's easier spot potential risks, but that's a warm fuzzy, and not necessarily a hard fact.

So far I've only been working with defined functions (reading DHCP leases for instance) but in the distant future I also expect access file systems (user mail spools and home directories for example). When that time comes, I'll probably explore a daemon/socket approach.

I've been thinking about this quite a bit. Send me a pm if you want to exchange some code and talk about it more!

In reply to Re: Security, root and CGI? by ruzam
in thread Security, root and CGI? by pileofrogs

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    [thao4]: thao4
    [hippo]: Indeed you are.
    [thao4]: Hi all, I am new in perl. I need do somthing in perl: exemple: - search a patern "CADRE 1.1 CPU" in one file.txt - incremente +30 lines from the line with the patern found - replace the patern "Model Regle" by "Heath Rule A" in this new line (30 line
    [marto]: good morning all
    [hippo]: Welcome. Tell me, have you read perlintro? That's a great place to start.

    How do I use this? | Other CB clients
    Other Users?
    Others avoiding work at the Monastery: (10)
    As of 2018-02-21 09:42 GMT
    Find Nodes?
      Voting Booth?
      When it is dark outside I am happiest to see ...

      Results (276 votes). Check out past polls.