topic PHP or PERL CGI script permission question in Operating System - Linux

PHP or PERL CGI script permission question

paul.lkw — Tue, 02 Aug 2005 04:29:31 GMT

I want to create a web control panel for clients to check his quota or change password but PHP or PERL CGI execute script using the 'www' user permission. How can I override this? Does the world have any resources about doing this?

THX.

Re: PHP or PERL CGI script permission question

Ralph Grothe — Tue, 02 Aug 2005 05:42:14 GMT

Hi Paul,

you could install sudo, and edit a sudoers file (i.e. as root run visudo) where you would setup rules for user www to run the commands that were required for the quotas checking.

You can either get the sources from here

http://www.courtesan.com/sudo/

or if you happen to run 11i you could even get a prepackaged sudo depot from HP

http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1111

Another option maybe would be to get the Apache sources (if you're happening to be running this webserver) and build it for SuExec support
(albeit it was originally meant to rather restrict than empower rights)
Please see

http://httpd.apache.org/docs/2.0/suexec.html

Anyway, whatever cludge you use please bear in mind to devise utmost care with your CGIs as the restricted rights of httpd child procs were introduced for very good reasons.
Also you should devise some sort of taint checking of any client input, like Perl guarantees by its -T switch.
(if you happen to write your CGIs in Perl,
please also read "perldoc perlsec")

HTH
Ralph

Re: PHP or PERL CGI script permission question

Pat Lieberg — Tue, 02 Aug 2005 09:36:26 GMT

You could just make your CGI write to a file and have a background process that runs as whatever account you want that monitors this file and then executes whatever you need done.

As mentioned, be careful however you implement it. You don't want to open your server up to the world.