Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

RE: RE: Re: How do I execute as root?

by Fastolfe (Vicar)
on Nov 14, 2000 at 01:09 UTC ( #41432=note: print w/replies, xml ) Need Help??


in reply to RE: Re: How do I execute as root?
in thread How do I execute as root?

Check out perlsec, which explains it all. Basically, since you'll be running this as root (with information that is supplied by the user), you need to be certain $USER doesn't contain any evil or harmful characters. If you let the user specify a username of, like, "../../bin", you'd be creating directories and things in very bad places. A simple sanity check should suffice:
($USER) = $cgi->param('user') =~ /(\w+)/;
This would only permit normal alphanumeric characters into $USER, and un-taint it in the process. With taint-checking enabled (-T), Perl will die before letting you use arbitrary user-supplied (or potentially unsafe) information in any critical system calls (like chdir, unlink, open, etc.). Update: Other posts below advocate using a separate script to perform the actual updates as root, and I agree with them 100%. It's infinitely more secure if you keep the user from interacting directly with a setuid script at all. A buffer (in the form of semaphore files or a socket connection) is a better solution to your problem.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://41432]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (3)
As of 2021-09-25 12:36 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?