以*适当的*安全性以root身份运行perl cgi [英] Running a perl cgi as root with *proper* security
问题描述
我需要以root用户身份运行一个Perl cgi。
我已经了解了这样做的大多数安全性问题,但让我先解释一下。
I've the need to run one Perl cgi as root. I already understand most of the security concerns of doing this but let me explain first.
Perl cgi可以作为Web服务器运行,但需要sudo访问运行一些命令。
这是我首先要做的,但这不仅允许该cgi运行这些命令,而且还允许整个用户运行Web服务器。
另外,我宁愿使用本机库,而不是使用sudo运行命令,而本机库比运行外部命令要快得多。但是,这些本机库需要对某些操作进行root用户访问。
The Perl cgi could run as the web server but would require sudo access to run some commands. This is what I've done first but this doesn't only allow that cgi to run these commands but the whole user running the web server. Also, instead of running commands with sudo, I would prefer to use native library that are way faster than running external commands. However, these native library requires root access for some of the operations.
所以我想到的是以root用户身份运行单个cgi(尚未真正找到)但是,这是我目前的主要问题)。
我在Perl cgi中要做的第一件事是将有效的uid $> / gid $)更改为非特权用户,并且仅在需要调用其中一个本机库时才将其更改回root需要root用户访问权限,然后将其更改回非特权用户。
So what I had in mind was to run this one single cgi as root (haven't really found how yet, this my main issue right now). The first thing I would do in the Perl cgi would be to change the effective uid $> / gid $) to a non-privileged user and only change it back to root when I need to call one of the native library requiring root access, then change it back to the non-privileged users.
到目前为止,您对此想法有何评论?
So far, do you have any comments on this idea?
回到主要问题:我如何允许该cgi作为root运行?
我看过suexec,但它似乎不允许root
无法在Perl脚本上使用setuid
在这里寻求帮助/想法
Back to the main question: how can I allow that cgi to run as root? I've taken a look at suexec but it doesn't seem to allow root Can't use setuid on a Perl script looking for some help/ideas here
最诚挚的问候
Yannick Bergeron
Yannick Bergeron
推荐答案
我可能会尝试研究两个非常相似的选项之一。
I would likely try to investigate one of two options, both fairly similar.
第一个是作业引擎。您的CGI除了将请求发布到引擎队列外什么也不做。客户会回来调查结果。如果您已经设置了这样的异步队列,则效果很好。引擎本身将以root用户身份运行,以便能够运行请求。当然,请求不会包含要运行的实际命令-安全性仍然是一项重要要求。
The first is a job engine. Your CGI would do nothing but post a request to the engine queue. The client would come back and poll for results. Works well if you already have such an asynchronous queue set up. The engine itself would run as root to be able to run requests. Requests would not, of course, include actual commands to run - security is still a significant requirement.
第二个选项是守护程序。它将在内部端口上侦听(也许仅在本地主机适配器上),并接收请求。然后它将在连接上返回结果。如果您的CGI和守护程序都在perl中,您甚至可以通过Storable进行序列化,尽管我通常更喜欢JSON-JSON并不总是比Storable大,而且通常也没有比Storable大很多。但这是快速,安全的,并且既可以进行不加修改的合理跟踪,也可以根据需要将其不加修改地发送回客户端。
The second option is a daemon. It would listen on an internal port (only on the localhost adapter, perhaps), and receive the requests. It would then return the results on the connection. If your CGI and daemon are both in perl, you could even just serialise via Storable, though I'd generally prefer JSON - it's not always bigger than Storable, and it's not generally a lot bigger than Storable. But it's fast, secure, and amenable to both reasonable tracing without modification and may also be good for sending back to the client without modification, depending on your needs.
再次,安全性-您不发送运行命令或SQL短语,而是发送请求和参数。但这与您的CGI代码相同。
Again, security - you don't send commands to run or SQL phrases, you send requests and parameters. But that's the same as your CGI code.
这两个选项都需要一个额外的过程(或更多)。但是它们也避免了很多开销-您不需要每次都重新初始化C运行时库,不需要每次都重新编译perl代码,等等,并且它们可以处理CGI代码之外的特权。
Both of these options require an extra process (or more). But they also avoid a lot of the overhead - you don't need to reinitialise the C runtime library each time, you don't need to recompile perl code each time, etc., and they take care of privileges outside your CGI code.
这篇关于以*适当的*安全性以root身份运行perl cgi的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
