You can use a suid perl/apache but don't do it that way. The best way (IMHO) is to give the web server process permission to execute the program via sudo/sudoers. For example

[root@devel3 log]# cat /etc/sudoers
# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers f
+ile.

# let apache send HUP to squid
apache ALL=NOPASSWD:/home/www/utility/sendHUP.pl


[root@devel3 log]# ll /home/www/utility/sendHUP.pl
-rwxr-xr-x    1 apache   coders       1114 Mar 10 02:43 /home/www/util
+ity/sendHUP.pl


[root@devel3 log]# cat /home/www/utility/sendHUP.pl
#!/usr/bin/perl -w

# this script need to be run as root, to do this we add an entry to
# /etc/sudoers so that apache can run it (you edit using visudo)
# visudo -f /etc/sudoers
# add this line
# apache ALL=NOPASSWD:/home/www/utility/sendHUP.pl
# call as system('sudo', '/home/www/utility/sendHUP.pl');

(kill HUP, $PROGRAM) or exit 42;
exit 0;
[download]

My webserver runs as apache, but yours may be nobody or something else. What the line in sudoers does is allow apache to *potentialy* run the sendHUP.pl with root privileges. This is required to send (in this case squid) a HUP signal. Note that the actual sendHUP.pl script is not owned by root or suid. It is just a normal script. Note also you need to call this with system( 'sudo', '/some/prog.pl' ) from within your script to execute the program with root privilege.

So by using sudo/sudoers you can limit the webserver to being able to execute as little as a single command/program as root which is better than letting it be able to execute lots of stuff which is quite possible if you go the suid root (route ;-)

Note that you can find out what user Apache runs as by looking in the httpd.conf file (mine's located at /etc/httpd/httpd.conf) and looking for lines like

User www
Group www
[download]

Obviously Apache runs as www for me.

grep "^User " `locate httpd.conf`

my ($login,$pass,$uid,$gid) = getpwnam('username');
$) = $gid;
$> = $uid;
#now it should be running as username
[download]

See the manual page of the chmod command for information regarding the setuid bit, which will automatically bump your script up to root (or, more accurately, the owner of the file) whenever it's run. This is what the "s" means in a set of permission flags in a "ls -l" listing.

perlsec has some good information on setuid scripts; you almost certainly want them to run with taint mode on.

This is IMHO bad advice. Firstly it simply won't work for many configurations and secondly suid root and web servers are a dangerous combination - especially if someone needs to have suid explained to them. There are other, safer ways to skin this particular cat.

The original author didn't specify whether it was running on a web server or not - the instance of a CGI script hadn't occurred to me actually. Yes, CGI scripts shouldn't be run suid root.

Perhaps the author could clarify?

Just because it's dangerous isn't a reason not to teach it to them. Everyone has to learn about it for the first time sometime. It is responsible to give them the "But don't do that." disclaimer, though.

Lexicon

Scary.