On Mon, Mar 18, 2002 at 02:02:38PM -0800, James Lum wrote: > 1. use suid perl and set the owner as root ... but i do not know if you > can run a suid perl program under modperl. (anyone? will this work?)
Should be able to -- mod_perl can run other scripts. Suid is something the kernel pays attention to. However, you'll want the script to be owned by root and be in the web server's group. % touch script (basically, create it) % chown root:webgroup script % chmod a-rwx,g+x script % chmod u+s script That should get it so only the web server can run the script. Otherwise, anyone that can log into the box can do so. Suid might require that the owner be able to run the script. Not sure - will need to test a bit, perhaps. You'll also want to make sure all the directories in the directory path leading to the script are read-only. Otherwise, someone can swap directories and put their own script in place. Of course, they need root access (usually) to make something suid-root. There are probably some other checks you can do -- if the fork is done right, you can probably check the parent pid and make sure it's an Apache process (for example, if you're paranoid -- paranoia is good). --jim
