There's more than one way to do things | |
PerlMonks |
Re: Security, root and CGI?by skx (Parson) |
on Jan 29, 2009 at 22:35 UTC ( [id://740058]=note: print w/replies, xml ) | Need Help?? |
One way of promising that input comes from a particular user, (not script), is to have the communication be asynchronous. Have the CGI application run as user "foo" and create /var/spool/foo which is mode 700. The CGI script can validate and create jobs in this directory that the root process can examine, validate some more, and then process. Thats the cleanest separation I've ever used - in general I prefer to use sudo.
In Section
Seekers of Perl Wisdom
|
|