Perl premissions

[kevin197]

I've wrote a perl script for writing a few pages to different account on my cpanel server. The problem is the perl script is on one account and it will not go back past the public_html dir. I need it to go back to any other users account on the server so I can write the pages there.

I tryed chown the script to root but then it wouldn't run. How do you get a script to have access to all accounts on the server?

 

[Kirsle]

Perl scripts won't run as root because Perl knows better. When executing a script without explicitly calling Perl, ex. "./my-script.pl", there's a very small window of opportunity between when the OS reads the #!/usr/bin/perl line and when the Perl interpreter is actually fed the rest of the code. During that period of time an attacker could potentially replace the rest of the code with anything of their own choosing, and then boom, any arbitrary code is being executed as root. Perl knows better than to allow that kind of security risk to happen.

Having said that, there's very little you can do. You can create a new group for your Perl script and then chown every file on the server to that group, but that will only be a temporary fix because as soon as a user uploads something new, the user/group is going to be set back to that user's username and group and you'd have to chgroup the file again.

On the other hand, if you are logged on as root and call your script explicitly via Perl, ex. "perl my-script.pl", that security window is gone and Perl should allow the script to run even though the current user is root.

Other than that, do you have access to WHM as well? You can upload scripts directly to the WHM "site" and they'll run as root. That's pretty much the only place where you can use suexec+root on a Perl script in Apache.

-------------
Cuvou.com | My personal homepage
Project Fearless | My web blog

 

[kevin197]

Yes I have access to WHM, it's my own server so I can do what I want if there is anything I can install on it to make it work?

I just tryed adding my user to the wheel group but that still didn't work. Where abouts is the WHM "site"? That sounds like what I need. Then I can call that script from anywhere and pass it the information.

 

[kevin197]

Thanks, I found the WHM "site" but now I'm not so sure I need to run it as root.

What I want it to run as is the other account owner.

Just say I have 2 accounts on cpanel.

I want the perl script to be on one account and run from there. But I want the script to write some files to the 2nd accounts folder. It is fine for the username and password to be entered for the 2nd account to write to.

It's a bit like a WYSIWYG html page maker for everyone on the server.

I could just put it in their directory but then if I make changes to the script I have to replace the script in each account.

Is this possable?

 

[Kirsle]

I'm going to have to say "no, it's not possible."

I did some experimenting with making Perl scripts switch users during execution, and didn't have very good results. What I got was unpredictable. If I tried running a command such as this:

system ("su test2");

Sometimes it would bring the terminal back to a new bash prompt for test2, and the original Perl script that called that command would block until I 'exit' out of that login shell; effectively, Perl wasn't able to execute commands after switching users.

Other times it would just fail altogether and not even try; just the Perl script would quit processing when it got to that command.

I've tried various different syntaxes for calling su, using system(), backticks... I even tried threading it. No luck. And, Perl doesn't have a built-in command to switch user, so it's not looking too good.

So if you want one Perl script to be able to manipulate files owned by two different users, you'll have to run the script as somebody with the power to do so.

One idea might be, if you edit the sudoers file and create a user just for your Perl script and allow it to use sudo without a password (you'd probably want to limit the commands it's allowed to run also), you might be able to have your script just execute specific commands as root.

It wouldn't be very pretty. Perl built-ins wouldn't work with sudo, you'd have to use all system calls.

system ("sudo chown nobody:nobody myfile.pl");
system ("sudo chmod 0755 myfile.pl");

However, that's a dodgy area as well. It would make scripting a lot more difficult. For example, the Perl script itself might not be allowed to do a "chdir" to a directory owned by another user, so you'd use "sudo chdir" instead... but even so, Perl wouldn't be able to directly work with files it's not allowed to use.

So you couldn't use open() on a file you don't have permission to... you'd need to system("sudo cat ./file");

Messy, I know, but that's the best you can do.

Just run the script as root to begin with and you should be fine.

-------------
Cuvou.com | My personal homepage
Project Fearless | My web blog

 

[KevinADC]

He wants his users to be able to run the script. I suggest he installs it in each users account. If he does edit the perl script he can use a third party application, the operating system, or even perl, to install the script into each users account instead of having to do it manually.

------------------------------------------
- Kevin, perl coder unexceptional!

 

[kevin197]

Thanks everyone, every interesting and something to watch for in the future.

I've found a simple way to do it now tho and it works great, don't know why I didn't think of it before.

Because the user logs into the script with there username and password for cpanel I've just moved the files using NET::ftp;