http://qs321.pair.com?node_id=11121618

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

I have a program that updates a DBM file owned by a service account to cache the result of an expensive query.

We now need user accounts to be able to run this program to query and cache. There is no risk of misuse by users and concurrency is not an issue, but we do want to prevent accidental deletion of the DBM, for example. A theoretical concern exists if an intruder obtained access to the user's shell account, the setuid approach might provide a vector to execute code as the service account that might not otherwise exist.

We have thought of three approaches to permitting access:

The setuid approach is somehow preceived as more risky by IT as it is a well-known risk. My own take is that the webserver opens up risks that are not obvious (and probably exposes some of the same risks as setuid -- namely code may be executed in the name of the service account if the attacker controls the code that updates the DBM). The database approach would be new for us -- and thus implies additional maintenance, infrastructure, and potentially, new authentication surfaces not already in place. However, the database is a well-understood security problem but we perhaps lack in-house experience to approach it correctly.

Wise Monks, my problem cannot be unique. Is there another approach not considered here? What is the best way?

Replies are listed 'Best First'.
Re: Setuid vs. Web Server
by jcb (Parson) on Sep 11, 2020 at 22:06 UTC

    This seems to be the purpose of Unix groups — give the users membership in a "dbmwrite" group that owns the DBM files but does not have write permission in the directory holding the DBM files, which prevents accidental deletion of the files because unlink(2) requires write permission on the containing directory. A close variant of this is to set the sticky bit on the directory containing the DBM files and have the files themselves owned by a service account but with read/write permissions for the "dbmwrite" group. (chown dbmservice:dbmwrite file.dbm)

    You could also look into using POSIX ACLs to grant access to the DBM files to the user accounts that need it.

Re: Setuid vs. Web Server
by perlfan (Vicar) on Sep 11, 2020 at 17:35 UTC
    >We now need user accounts to be able to run this program to query and cache.

    memcached comes to mind