Linux – run specific perl script as root under apache

apache-2.2linuxperlpermissions

I have a perl program that runs fine when called through the Internet via apache on Fedora Linux server.
In that perl script I have a system command which does not run because it needs to be run as root.
I realize all the security ramifications but surely there must be a simple way of clearing a path for a legitimate script to do a legitimate function as root.
I have tried using sudo but I have to remove the requiretty restriction for the apache user and I don't want to weaken security.
There should be a way in apache config to either allow a specific file or directory to run as root but I have not been able to find it. I don't want all cgi-bin to run as root.
Any help is appreciated.

Best Answer

Perl? Perl supports setuid scripts.

https://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts

Perl is a notable exception. It explicitly supports setuid scripts in a secure way. In fact, your script can run setuid even if your OS ignored the setuid bit on scripts. This is because perl ships with a setuid root helper that performs the necessary checks and reinvokes the interpreter on the desired scripts with the desired privileges. This is explained in the perlsec manual. It used to be that setuid perl scripts needed #!/usr/bin/suidperl -wT instead of #!/usr/bin/perl -wT, but on most modern systems, #!/usr/bin/perl -wT is sufficient.

Related Solutions

Ubuntu: let a user run a script with root permissions

If this was a normal binary, you could setuid by running

# chmod u+s /path/to/binary

Unfortunately, scripts can't be setuid. (Well you can, but it's ignored). The reason for this is that the first line of the script tells the OS what interpreter to run the script under. For example if you had a script with:

#!/bin/bash

You'd actually end up running

/bin/bash /path/to/script

Obviously, you'd need the interpreter to be setuid, which would then mean all scripts would be setuid. This would be bad.

You can do this with sudo by putting the following in your /etc/sudoers file by running visudo.

ALL ALL=NOPASSWD: /path/to/script

And now any user can run

$ sudo /path/to/script

This allows them to run the script without typing in their password.

There is an alternative that doesn't require sudo in the command, which requires creating a small setuided binary that execs your script, but every additional setuid binary adds another potential security problem.

Linux – How to run linux bash script from web browser

You want to start with Apache 'suexec':

http://httpd.apache.org/docs/2.2/suexec.html

suexec support is compiled/ready in your default Apache install on a Red Hat/CentOS/Fedora - do a Google on "suexec howto" and you'll find a lot of articles for various tools (PHP, etc.) which will give you ideas.

Best Answer

Related Solutions

Ubuntu: let a user run a script with root permissions

Linux – How to run linux bash script from web browser

Related Topic