The situation: I've put some code together that runs mostly as a web-based app, but also has a command-line utility. Its configuration includes a database password, so I put the config into a file under /etc with permissions 0640 owned by developer.www-data.
The problem, of course, is that, although this works fine for apache running it, the command-line utility isn't able to read the config when run by mortal users. I could add the users who need access to group www-data so they can read it, but, well, that would be the wrong solution and I don't want them to be able to read the file directly anyhow. The obvious solution, then, was to change the ownership of the command-line script to group www-data and make it sgid. The obvious solution doesn't work. With sgid set, everyone except root gets "Permission denied." when they try to execute the utility. Changing the #!/usr/bin/perl to point at suidperl instead produces the odd error "Script is not setuid/setgid in suidperl" if the script is not sgid and "Permission denied." if it is sgid. So, what do I need to do to make this work without adding all users of the command-line utility to group www-data or making the config file world-readable? -- When we reduce our own liberties to stop terrorism, the terrorists have already won. - reverius Innocence is no protection when governments go bad. - Tom Swiss -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]