Re: Apache, Catalyst and executing commands that need root permission

in reply to Apache, Catalyst and executing commands that need root permission

Ick ;)

Write them in a db/some storage somewhere, and have a cronjob come along and do ? (Parsing the contents carefully of course)

Comment on Re: Apache, Catalyst and executing commands that need root permission

Replies are listed 'Best First'.
Re^2: Apache, Catalyst and executing commands that need root permission by jhourcle (Prior) on Apr 25, 2006 at 11:48 UTC
This is my normal procedure -- although some people don't like the delay (even checking the files every 5 minutes or so), there are other considerations -- for instance, this allows you to replay the files, should something go wrong. I've also used it to keep the account creation on a different machine, and then polled for new files. For some tasks, this might be overkill, though. sudo, when used correctly (ie, only given a specific command allowed), can be very secure, and you don't have to worry about making sure that the cronjobs all ran cleanly (which I mentioned recently in Re: Accessing cron job output from a web page?). You get an immediate error message when something goes wrong when you're using sudo. What I don't like about sudo is that I have to give permission to the entire webserver. You can mitigate some of this with suEXEC or CGIWrap. Oh -- and I don't know what the other command is -- but for the directory creation, you might be able to set the permissions so the webserver user (or wrapped user) can write to the given directory ... I assume the other command is setting the permissions on the directory, If you do end up changing the permissions, and it's ufs, you can set the sticky bit to keep the webserver user from deleting the directories.	[reply]

Replies are listed 'Best First'.

Re^2: Apache, Catalyst and executing commands that need root permission
by jhourcle (Prior) on Apr 25, 2006 at 11:48 UTC

This is my normal procedure -- although some people don't like the delay (even checking the files every 5 minutes or so), there are other considerations -- for instance, this allows you to replay the files, should something go wrong. I've also used it to keep the account creation on a different machine, and then polled for new files. For some tasks, this might be overkill, though. sudo, when used correctly (ie, only given a specific command allowed), can be very secure, and you don't have to worry about making sure that the cronjobs all ran cleanly (which I mentioned recently in Re: Accessing cron job output from a web page?). You get an immediate error message when something goes wrong when you're using sudo.

What I don't like about sudo is that I have to give permission to the entire webserver. You can mitigate some of this with suEXEC or CGIWrap.

Oh -- and I don't know what the other command is -- but for the directory creation, you might be able to set the permissions so the webserver user (or wrapped user) can write to the given directory ... I assume the other command is setting the permissions on the directory, If you do end up changing the permissions, and it's ufs, you can set the sticky bit to keep the webserver user from deleting the directories.

[reply]

In Section Seekers of Perl Wisdom