Running scripts from Perl CGI programs with root permissions

Question

I have a Perl CGI that is supposed to allow a user to select some files from a filesystem, and then send them via Rsync to a remote server. All of the HTML is generated by the Perl script, and I am using query strings and temp files to give the illusion of a stateful transaction. The Rsync part is a separate shell script that is called with the filename as an argument (the script also sends emails and a bunch of other stuff which is why I haven't just moved it into the Perl script). I wanted to use sudo without a password, and I setup sudoers to allow the apache user to run the script without a password and disabled requiretty, but I still get errors in the log about no tty. I tried then using su -c scriptname, but that is failing as well.

TD;DR Is it awful practice to use a Perl CGI script to call a Bash script via sudo, and how are you handling privilege escalation for Perl CGI scripts? Perl 5.10 on Linux 2.6 Kernel.

Relevant Code: (LFILE is a file containing the indexes for the array of all files in the filesystem)

elsif ( $ENV{QUERY_STRING} =~ 'yes' ) {
      my @CMDLINE = qw(/bin/su -c /bin/scriptname.sh);
      print $q->start_html;
      open('TFILE', '<', "/tmp/LFILE");
      print'<ul>';
      foreach(<TFILE>) {
         $FILES[$_] =~ s/\/.*\///g;
         print "Running command @CMDLINE $FILES[$_]";
         print $q->h1("Sending File: $FILES[$_]") ; `@CMDLINE $FILES[$_]` or print $q->h1("Problem: $?);

Answer 1

However you end up doing this, you have to be careful. You want to minimise the chance of a privilege escalation attack. Bearing that in mind….

sudo is not the only way that a user (or process) can execute code with increased privileges. For this sort of application, I would make use of a program with the setuid bit set.

1. Write a program which can be run by an appropriately-privileged user (root, in this case, although see the warning below) to carry out the actions which require that privilege. (This may be the script you already have, and refer to in the question.) Make this program as simple as possible, and spend some time making sure it is well-written and appropriately secure.

2. Set the "setuid bit" on the program by doing something like:

   chmod a+x,u+s transfer_file
   

   This means that anyone can execute the program, but that it runs with the privileges of the owner of the program, not just the user of the program.

3. Call the (privileged) transfer program from the existing (non-privileged) CGI script.

Now, in order to keep required privileges as low as possible, I would strongly avoid carrying out the transfer as root. Instead, create a separate user who has the necessary privileges to do the file transfer, but no more, and make this user the owner of the setuid program. This way, even if the program is open to being exploited, the exploiter can use this user's privileges, not root's.

There are some important "gotchas" in setting up something like this. If you have trouble, ask again on this site.