Re: Getting perl code to run sgid

To: Debian-User <debian-user@lists.debian.org>
Subject: Re: Getting perl code to run sgid
From: bob@proulx.com (Bob Proulx)
Date: Fri, 24 May 2002 09:52:58 -0600
Message-id: <[🔎] 20020524155258.GB11589@misery.proulx.com>
Mail-followup-to: Debian-User <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20020522075508.B15082@sherohman.org>
References: <[🔎] 20020522075508.B15082@sherohman.org>

> The obvious solution, then, was to change the ownership of the
> command-line script to group www-data and make it sgid.

Note that whenever you make a script suid or sgid you are trading in
your padlock for a breadtie.  There are many well known trivial
ways to fool a suid script into giving you a shell of the id it
is set to.  Which may be fine for your application.  If 100% of your
users on that machine would logically be in that group then there
is no difference in the end.  Just as long as you know about it.

Using sudo for this purpose is really much better because it works
betting in the cases that you do care about security.  Aternatively
you could write a very small C program which handles the security
details and have it call your script.  But if you don't keep up 
on the security details then you should use sudo which does.

Bob


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Getting perl code to run sgid
  - From: Dave Sherohman <esper@sherohman.org>

References:
- Getting perl code to run sgid
  - From: Dave Sherohman <esper@sherohman.org>

Prev by Date: Re: non-us mirror
Next by Date: Re: Fw: Re: video devices on firewire, anyone?
Previous by thread: SOLVED: Getting perl code to run sgid
Next by thread: Re: Getting perl code to run sgid
Index(es):
- Date
- Thread