How to run a CGI script as root with password prompt

Posted on 2003-11-07
Last Modified: 2012-06-27
I am looking for a secure way to have a Perl script to run as root under Apache.  The user would be prompted for a password and this password would be verified.  Naturally I would use SSL on the script so that the password does not get passed in the clear.  This is for a commercial product so it cannot be too dependant on system specific configurations.

Things that I have looked into are:

- SUExec (does not support root)

- Using system(SU) - Generally SU is not available to other than root:wheel and not the ID apache runs under.

- suidperl - I understand that this is not recommended and is not always available.

One idea I had was to create a script that would invoke SUDO on a shell script.  The script would verify the root password against etc/password and then proceed to do what it needs to do.  The SUDO script would be set up to be run by anyone and not require a password prompt since the script itself would verify the password from the environment variable for the edit field on the form that invoked the script.

Am I heading down the right path or is there some other more standard way to do this?

Question by:elsamman
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 9701655

Write a Perl program to be the Authenticator, so If authenticated, then execute sudo application B. Write tracking functions to log all calls to application B, maybe even put time restrictions, and if too many invalid tries from a particular IP, etc then short circuit them to the bit bucket or something of the sort.

Author Comment

ID: 9701734
I don't see how that is secure.  If "Application B" which does the work that requires root does not do the authentication then anyone could execute it and bypass the Perl authenticator.  Am I missing something?

Expert Comment

ID: 9702006
You make Application B inaccessable via the internet. Read the Env vars to see if someone attempted a POST or a GET and Deny access is one method.

Another method is to create a secure token that Application B will not work unless it recieves it from the first application.

Place it in a dir that cannot be accessed directly

Deny access to that file directly via conf directives

The method for securing the second application should be a trivial matter.
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).


Expert Comment

ID: 9702010
Using Sudo you have one form of tracking anyways via the sudo logs

Author Comment

ID: 9702093
This might be OK in a really secure environment.  I am dealing with a shared hosting environment where anyone could write a piece of Perl code to execute "Application B".  All CGI applications run under the same user (nobody).  I don't really like passing a token since that is almost like embedding a password in a file which as far as I am concerned should never be done.  Anyone with read access to the programs can find the token/password.  If I am going to pass a token I might as well just pass along the password I collect from the user and let application b authenticate.

Expert Comment

ID: 9702409
ah, usually a shared access environment you don't really want anyone running a root application anyways. So yes that would require a different approach.

The setup wouldn't make me feel that safe with any of those approaches.

I think you would be heading down the correct path with your original idea. Just use the PAM library or something like that to access the password data to do the verfication.

Looks like you had the right idea all along. :)

Expert Comment

ID: 9705296
what web server are you using?

if you are using Apache, you can use a .htaccess file to restrict access to the Perl script with username and password. and then put the Perl script in an SHTTPD directory so that all data going through are secure. this way only authenticated users may access the Perl script and everything coming in and out of the script are secured.
LVL 51

Accepted Solution

ahoffmann earned 500 total points
ID: 9710261
as you already know: suEXEC does not support root.
Apache is safe web server, so only running apache as root itself, which is not recomended, gives you the posibility to run a CGI as root.

Another aproach would be:
  echo 'asroot:x:0:0:alias user for root:/asroot:/usr/bin/tcsh' >>/etc/passwd
then setup apache with suEXEC and allow user asroot to run your CGI (donÄt orget chmod, chown etc.).

Keep in mind that this opens your system for root access.
Also some *nix systems do not support this.
I's not suggest to do it, it's up to you.

Author Comment

ID: 9833375
Actually the solution that I am going with is the usual one.  At the end of every thread on this topic the advice of most sages is "use the cron Luke".  In other words find a way not to have to run your cgi script as root.  Write a script that leaves bread crumbs for a cron job to pick up and do the deed.

The most secure way I have found to do this is leave an indicator of what I want done in a mySQL database row.  I use the mysql user password to authenticate.  A cron job comes along every 5 minutes or so and does the deed.  I

 None the less I did not know about the alias trick and am very greatful to have that in my arsenal for future use.


Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question