Getting perl code to run sgid
The situation:
I've put some code together that runs mostly as a web-based app, but
also has a command-line utility. Its configuration includes a
database password, so I put the config into a file under /etc with
permissions 0640 owned by developer.www-data.
The problem, of course, is that, although this works fine for apache
running it, the command-line utility isn't able to read the config
when run by mortal users. I could add the users who need access to
group www-data so they can read it, but, well, that would be the
wrong solution and I don't want them to be able to read the file
directly anyhow.
The obvious solution, then, was to change the ownership of the
command-line script to group www-data and make it sgid.
The obvious solution doesn't work. With sgid set, everyone except
root gets "Permission denied." when they try to execute the utility.
Changing the #!/usr/bin/perl to point at suidperl instead produces
the odd error "Script is not setuid/setgid in suidperl" if the script
is not sgid and "Permission denied." if it is sgid.
So, what do I need to do to make this work without adding all users
of the command-line utility to group www-data or making the config
file world-readable?
--
When we reduce our own liberties to stop terrorism, the terrorists
have already won. - reverius
Innocence is no protection when governments go bad. - Tom Swiss
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: