You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Simon Dassow <ja...@area319.de> on 2004/09/21 15:49:24 UTC
Re: problem running suid scripts...
Rajesh Pethe wrote:
> I'm new to mod_perl and am enjoying every bit of it,
> I have new problem, I want to execute suid scripts
> from mod_perl
> i.e. the script called from mod_perl should be
> executed as a priveliged
> user and not as default 'apache' user.
>
Hi Rajesh,
first of all: avoid using suid.
Second advice: don't use suid.
If you want to execute (particular) actions as root use sudo instead.
Works great and is much more secure. In addition to that you can
configure almost everything you need... e.g. you can tell which user can
call which program at a specified time.
And that can be done without a password... or with password caching.
I hope this is what you are searching for.
Additionally you don't need to run the calling application as root or
under mod_cgi.
I'm really wondering nobody else noticed this yet as suid is evil and
known for security concerns.
Kind regards,
Simon
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
Re: problem running suid scripts...
Posted by Simon Dassow <ja...@area319.de>.
Clayton Cottingham wrote:
> Its true, but on a secured intranet it shouldn't be so bad
For me there's no ``shouldn't be so bad''. I only stick with something
that is known as good (secure), nothing else. But that's _my_ oppinion
about security (and no customer/user complained yet).
> When the PHB {pointy headed boss} says he needs it done today sometimes you
> gotta make that call
Of course, but that doesn't imply unsecure solutions... especially when
it's something like suid where problems are known.
I didn't give this advice to force everyone to use it outright, i only
wanted to mention it at all as nobody else did.
> I don't like it anymore than the next guy , but when it comes to providing a
> solution sometimes it HAS to be done
See above. IMHO noone should implement things without knowing the
possible security impacts.
If implementing suid stuff one should know why and how.
> This happened in the last company and we had to use suid, but we opted for
> suidperl other than that I don't really remember mush as I was coding and my
> team mate was handling the installs and config for suidperl
I repeat myself if i say something further about that topic... ;-)
Remember: It's my advice so people _know_ there is a secure solution for
this :-)
Kind regards,
Simon
>> Rajesh Pethe wrote:
>>> I'm new to mod_perl and am enjoying every bit of it, I have new
>>> problem, I want to execute suid scripts from mod_perl i.e. the
>>> script called from mod_perl should be executed as a priveliged
>>> user and not as default 'apache' user.
>>>
>>
>> Hi Rajesh, first of all: avoid using suid. Second advice: don't use
>> suid. If you want to execute (particular) actions as root use sudo
>> instead.
[...]
>> I'm really wondering nobody else noticed this yet as suid is evil
>> and known for security concerns.
>>
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
RE: problem running suid scripts...
Posted by Clayton Cottingham <dr...@telus.net>.
Its true, but on a secured intranet it shouldn't be so bad
When the PHB {pointy headed boss} says he needs it done today sometimes you
gotta make that call
I don't like it anymore than the next guy , but when it comes to providing a
solution sometimes it HAS to be done
This happened in the last company and we had to use suid, but we opted for
suidperl other than that I don't really remember mush as I was coding and my
team mate was handling the installs and config for suidperl
> -----Original Message-----
> From: Simon Dassow [mailto:janus@area319.de]
> Sent: September 21, 2004 6:49 AM
> To: Rajesh Pethe
> Cc: modperl@perl.apache.org
> Subject: Re: problem running suid scripts...
>
> Rajesh Pethe wrote:
> > I'm new to mod_perl and am enjoying every bit of it, I have new
> > problem, I want to execute suid scripts from mod_perl i.e.
> the script
> > called from mod_perl should be executed as a priveliged
> user and not
> > as default 'apache' user.
> >
>
> Hi Rajesh,
> first of all: avoid using suid.
> Second advice: don't use suid.
> If you want to execute (particular) actions as root use sudo instead.
> Works great and is much more secure. In addition to that you can
> configure almost everything you need... e.g. you can tell
> which user can
> call which program at a specified time.
> And that can be done without a password... or with password caching.
> I hope this is what you are searching for.
>
> Additionally you don't need to run the calling application as root or
> under mod_cgi.
>
> I'm really wondering nobody else noticed this yet as suid is evil and
> known for security concerns.
>
> Kind regards,
> Simon
>
> --
> Report problems: http://perl.apache.org/bugs/
> Mail list info: http://perl.apache.org/maillist/modperl.html
> List etiquette: http://perl.apache.org/maillist/email-etiquette.html
>
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html