CGI and admin tasks

[Kevin Ratcliffe]

Hi

I am attempting to write a script that can add email accounts that my
boss can use, with a nice html interface. I've done the easy bit,
creating the form. I was going to write a script that writes all the
user details to a file, and then a cron job runs another script that
reads the file and adds the account. But I would like something more
immediate. But the CGI scripts do not have the priveliges to create
accounts. I understand that there will be great security risks in
having the script run suid. Has anybody any ideas?

I am new to perl, but pick things up quickly.

Kev

 

[Greg Bacon]

: I am attempting to write a script that can add email accounts that my
: boss can use, with a nice html interface. I've done the easy bit,
: creating the form. I was going to write a script that writes all the
: user details to a file, and then a cron job runs another script that
: reads the file and adds the account. But I would like something more
: immediate. But the CGI scripts do not have the priveliges to create
: accounts. I understand that there will be great security risks in
: having the script run suid. Has anybody any ideas?

It would almost certainly be better to leave the two separate. One
way to increase responsiveness would be to run a daemon that watches
some rendezvous point rather than your current cronjob. Your privileged
account creater *must* treat its input as untrusted.

Please, please, please be *very* careful. Read the perlsec manpage
several times. Turn on taint checking. Check your input thoroughly.
Borrowing a vivid description from Ross Anderson[*], you're now
programming Satan's computer. Keep that in mind.

[*] See http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/satan.pdf

Greg