0

I have a perl program that runs fine when called through the Internet via apache on Fedora Linux server. In that perl script I have a system command which does not run because it needs to be run as root. I realize all the security ramifications but surely there must be a simple way of clearing a path for a legitimate script to do a legitimate function as root. I have tried using sudo but I have to remove the requiretty restriction for the apache user and I don't want to weaken security. There should be a way in apache config to either allow a specific file or directory to run as root but I have not been able to find it. I don't want all cgi-bin to run as root. Any help is appreciated.

xivix
  • 553
  • 2
  • 8
  • 16

1 Answers1

2

Perl? Perl supports setuid scripts.

https://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts

Perl is a notable exception. It explicitly supports setuid scripts in a secure way. In fact, your script can run setuid even if your OS ignored the setuid bit on scripts. This is because perl ships with a setuid root helper that performs the necessary checks and reinvokes the interpreter on the desired scripts with the desired privileges. This is explained in the perlsec manual. It used to be that setuid perl scripts needed #!/usr/bin/suidperl -wT instead of #!/usr/bin/perl -wT, but on most modern systems, #!/usr/bin/perl -wT is sufficient.

Community
  • 1
chx
  • 1,705
  • 2
  • 16
  • 25
  • Thanks. I tried the -wT and got this error: Insecure $ENV{PATH} while running with -T switch – xivix Aug 17 '12 at 21:02
  • For "Insecure $ENV{PATH}" messages, you need to set $ENV{'PATH'} to a known value, and each directory in the path must be non-writable by others than its owner and group. – chx Aug 17 '12 at 21:10
  • how do I set that? – xivix Aug 17 '12 at 22:04
  • `$ENV{'PATH'} = '/bin:/usr/bin';` – chx Aug 17 '12 at 22:39
  • Ok, I put that under the #!/usr/bin/perl -wT line ... but I still get command exited with value 512 – xivix Aug 17 '12 at 23:10
  • should I also include the directory where the script is located? – xivix Aug 17 '12 at 23:15
  • @xivix: you should include only directories where you expect your script to run programs from, or for those programs to run programs from. The purpose of this is to keep your script from running something it shouldn't. This will also be the purpose of every wall `-T` throws at you for the next couple of hours. – DerfK Aug 18 '12 at 03:37
  • Thanks :) ... now that I'm through the walls I can see my real problem ... I'm trying to run an iptables-restore command from a perl script run from apache through the web ... FATAL: Module ip_tables not found. ... iptables-restore v1.4.3.1: iptables-restore: unable to initialize table 'filter' ... I use iptables all the time on this box but apparently without needing the ip_tables module – xivix Aug 18 '12 at 04:13