Re: cgi scripts as root or similar - best method
Are you sure that cdrecord needs to run as root? You might check into changin permissions on the device itself. Or if this is a trusted machine/environment (I assume it is, 'cause most people don't write web apps to burn CDs), then you could suid cdrecord itself as root. Be sure you understand the security implications of doing that. Paul 10:08am, Gavin Henry wrote: Dear all, I have a working cgi script, well from the commandline. I haven't enabled -T, but that will be next. I am using $|++ and CGI::Carp to get things to stdout etc. and show me errors. All the script does is creates an ISO file, writes a log and burns the CD with some Javascript quesions to ask if the user wants to continue. I could paste the code, but I don't think it's relevant to my question. What the problem is, is that the ISO and log file are to be saved in non apache2 owned directories and cdrecord needs to be run as root. I have tried changing the group ownership of these dirs and chmod 775 for them, but apache2 still can't write to them. I have looked into suexec, but I am not running VirtualHosts and I have tried just making the scripts setuid, but apache2 won't run them then. I have seen suidperl, but I am not sure what it does. Basically I have tried everything I know at present, read all the perlfaq9 and relevant CGI FAQ etc. Does someone with more experience have any tips, as I am now at a loss. Thanks. -- Just getting into the best language ever... Fancy a [EMAIL PROTECTED] Just ask!!! -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response They're willing to kill people. That makes them dangerous. --News announcer, about South American drug lords -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: cgi scripts as root or similar - best method
On Fri, 25 Feb 2005, Gavin Henry wrote: [...] the problem is [...] cdrecord needs to be run as root. I assume cdrecord is being invoked from a system command, right? Have you considered prefixing that command with `sudo`, and going into the sudoers file to allow the www user that privilige? Of course, it would be a bit more complicated than that, as sudo will prompt for a password that you have to pass back to it somehow, but after hurdle that I suspect that it should work fine... Alternatively, have you considered using Webmin? Webmin is a way to do various system administration tasks through a web browser, and there appears to be a cdrecord based plugin for it: http://kgolding.co.uk/cd2iso.php Webmin site: http://webmin.com/ The Book of Webmin (not pirated -- it's at the author's site): http://www.swelltech.com/support/webminguide/ This may be an easier approach to the problem... -- Chris Devers -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: cgi scripts as root or similar - best method
quote who=Chris Devers
On Fri, 25 Feb 2005, Gavin Henry wrote:
[...] the problem is [...] cdrecord needs to be run as root.
I assume cdrecord is being invoked from a system command, right?
I know have it running fine using -T and declaring ENN{PATH} as according
to the Security section of the camel.
Yeah, I have:
!system (blah, blah) or die blah, blah;
Have you considered prefixing that command with `sudo`, and going into
the sudoers file to allow the www user that privilige?
No.
Of course, it would be a bit more complicated than that, as sudo will
prompt for a password that you have to pass back to it somehow, but
after hurdle that I suspect that it should work fine...
I could actually do that for each system command, could I use the expect
perl module for that?
Alternatively, have you considered using Webmin? Webmin is a way to do
various system administration tasks through a web browser, and there
appears to be a cdrecord based plugin for it:
http://kgolding.co.uk/cd2iso.php
It needs to be scripted via an independant sgi script though :-(
Webmin site:
http://webmin.com/
The Book of Webmin (not pirated -- it's at the author's site):
http://www.swelltech.com/support/webminguide/
This may be an easier approach to the problem...
Thanks.
--
Chris Devers
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/ http://learn.perl.org/first-response
Re: cgi scripts as root or similar - best method
Chris Devers wrote: On Fri, 25 Feb 2005, Gavin Henry wrote: [...] the problem is [...] cdrecord needs to be run as root. I assume cdrecord is being invoked from a system command, right? Have you considered prefixing that command with `sudo`, and going into the sudoers file to allow the www user that privilige? Of course, it would be a bit more complicated than that, as sudo will prompt for a password that you have to pass back to it somehow, but after hurdle that I suspect that it should work fine... [snip] You can use the 'NOPASSWD' flag in the sudoers file for a particular command/alias, etc. so that the user does not have to enter a password. man sudoers http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Re: cgi scripts as root or similar - best method
-- Just getting into the best language ever... Fancy a [EMAIL PROTECTED] Just ask!!! quote who=Wiggins d'Anconia Chris Devers wrote: On Fri, 25 Feb 2005, Gavin Henry wrote: [...] the problem is [...] cdrecord needs to be run as root. I assume cdrecord is being invoked from a system command, right? Have you considered prefixing that command with `sudo`, and going into the sudoers file to allow the www user that privilige? Of course, it would be a bit more complicated than that, as sudo will prompt for a password that you have to pass back to it somehow, but after hurdle that I suspect that it should work fine... [snip] You can use the 'NOPASSWD' flag in the sudoers file for a particular command/alias, etc. so that the user does not have to enter a password. man sudoers Excellent, I forgot that. But that's not very system independant, but ut's fair enough, as it's on only one box and I AM using syste commands. P.S. I love the beginners lists!!! http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
Tarig Omran/DUS/Europe/MCKINSEY is out of the office.
I will be out of the office starting 17.02.2005 and will not return until 28.02.2005. I will respond to your message when I return. +=+ This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. +=+ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
RE: cgi scripts as root or similar - best method
Chris Devers [EMAIL PROTECTED] suggested: Have you considered prefixing that command with `sudo`, and going into the sudoers file to allow the www user that privilige? Of course, it would be a bit more complicated than that, as sudo will prompt for a password that you have to pass back to it somehow, but after hurdle that I suspect that it should work fine... From man sudoers: By default, sudo requires that a user authenticate him or herself before running a command. This behavior can be modified via the NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used to reverse things. For example: rayrushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm as root on the machine rushmore as root without authenticating himself. HTH, Thomas -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/ http://learn.perl.org/first-response
