[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Getting perl code to run sgid

The situation:

I've put some code together that runs mostly as a web-based app, but
also has a command-line utility.  Its configuration includes a
database password, so I put the config into a file under /etc with
permissions 0640 owned by developer.www-data.

The problem, of course, is that, although this works fine for apache
running it, the command-line utility isn't able to read the config
when run by mortal users.  I could add the users who need access to
group www-data so they can read it, but, well, that would be the
wrong solution and I don't want them to be able to read the file
directly anyhow.

The obvious solution, then, was to change the ownership of the
command-line script to group www-data and make it sgid.

The obvious solution doesn't work.  With sgid set, everyone except
root gets "Permission denied." when they try to execute the utility.
Changing the #!/usr/bin/perl to point at suidperl instead produces
the odd error "Script is not setuid/setgid in suidperl" if the script
is not sgid and "Permission denied." if it is sgid.

So, what do I need to do to make this work without adding all users
of the command-line utility to group www-data or making the config
file world-readable?

When we reduce our own liberties to stop terrorism, the terrorists
have already won. - reverius

Innocence is no protection when governments go bad. - Tom Swiss

To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: