Hi, I have made a Perl script that lets me edit a file on the web server. Currently, all I do is change the permissions of the file to allow the user apache runs as to be able to read/write. I know this is a security risk, as it is a quite important file. What is a better way of doing this? Also, the script runs a programme that normally only root can run. I have changed the permissions to +s for the programme, but I know this is also really unsafe. What is a better way of running a programme that only root should be able to execute?

Thanks,
BriteSpaak

You should use a combination of ssh (using DSA or RSA key exchange for the authentication) and sudo to execute the command.

http://search.cpan.org/~dbrobins/Net-SSH-Perl-1.30/lib/Net/SSH/Perl.pm
http://search.cpan.org/~ivan/Net-SSH-0.08/SSH.pm

Sorry, I forgot to say that the script is run through a web browser. I have thought of using sudo for executing the programme, and might do that, but that still leaves reading and writing the file as a problem.

Thanks,
BriteSpaak

Can you be more specific? What type of files do you need to read/write? Are they files that already have utilities for maintaining them, for example, the passwd, shadow, and group files can be modified with the useradd, userdel, and usermod utilities.

Without more specific details on what you need and what you've tried, every solution I suggest will be simple guess work.

I have just finished a web application to maintain our email accounts on our imap and perdition servers. I used the Net::SSH::Perl module to connect and issue sudo commands on several imap servers which add/modify/delete users, which also involves modifing root owned files.

Okay, the file is /etc/squid.conf. The script edits the file itself, with no external utilities helping. I currently just have the file permissions set to rw for the web server, but that means anything running through the web server is able to edit that file (If they tried).

I don't have access to our squid server, so I can't run any tests, but here's the approach I'd start with and adjust as needed.

Run the web site under ssl to make sure you have a secure channel.

Reset the ownership and permissions on the conf file back to its recommended setting i.e. remove write access for the web server account.

Use server side session management (CGI::Session) with a secure login page to the web application and store the usernames/passwords in a database instead of a plain text file.

Use Net::SSH::Perl with key exchange to establish a secure SSH-2 connection to the squid server (ssh login as root or with an account with sudo access).

This next part (reading the conf file) will take some experimenting to find the best approach. The easiest, but probably not the best, would be to issue an ssh cat command and capture the contents of the file into a variable. After making the required changes, you could issue another ssh cmd such as:my ($stdout, $stderror, $exitcode) = $ssh->cmd("sudo echo $squid > /etc/squid/squid.conf");The sudo is optional depending on which account you used to make the ssh connection.