[thelist] Perl script as root

Keith cache at dowebscentral.com
Thu Feb 14 11:22:00 CST 2002

Hi Chris
> I wrote a little perl script that catches the ip addresses for people
> trying to access formmail.pl  on my site.  The script is supposed to
> add the ip to the firewall blocking them from accessing my site in the
> future.  Problem is, ipchains needs to be run by root.  I have given
> the script root permissions, but it still won't work right.  Does
> anyone know how to make a script run as root?

>From your description you are tackling the problem from the wrong
end. Changing permissions on the script will have no effect as to
what files the script can write to, you need to either change the
ownership of the script to *root* or change the permissions on the
file it's trying to write to.

If the script is activated by a browser's action changing the script's
ownership to *root* will not work unless you have suEXEC or
CGIWrap enabled. If either is enabled a script will run as it's owner,
therefore allowing a *root* owned script to write to a *root* owned
file. But if neither are enabled the web server will force all browser
initiated scripts to run as *nobody* regardless of who actually owns
the script. (If you do not have suEXEC or CGIWrap enabled do not
enable them over this one issue as doing so would radically change
the way all other scripts work.)

If your browser initiated scripts are running as *nobody* then you
have to change the permissions on the file that the script will write
to. If the file is owned by *root* it will need rw-rw-rw permissions so
that *nobody* can write to it. Be forewarned Chris, if you do that
anyone who has scripting access to your server will also be able to
write a script that will also have rw ability on that file.

The usual way to handle a situation where a browser initiated script
needs to write to a file that is owned by *root* is to have the script
write to a temp file. Then run a cron on a second *root* owned
script that moves the entries from the temp file to the *root* owned
file. Cron jobs run as the owner of the script and therefore scripts
run that way are not limited by the web server to run as *nobody*.

That said, if you are trying to limit access to formmail.pl by IP
address you'll not succeed in keeping spammers from using
formmail.pl as a spam relay. IP addresses are easily faked. In fact
any commercial spammer will be routinely faking the IP address.


More information about the thelist mailing list