CGI and admin tasks

[Kevin Ratcliffe]

Hi

I am attempting to write a script that can add email accounts that my
boss can use, with a nice html interface. I've done the easy bit,
creating the form. I was going to write a script that writes all the
user details to a file, and then a cron job runs another script that
reads the file and adds the account. But I would like something more
immediate. But the CGI scripts do not have the priveliges to create
accounts. I understand that there will be great security risks in
having the script run suid. Has anybody any ideas?

I am new to perl, but pick things up quickly.

Kev

[Greg Bacon]

In article <MU18b.47$R24.40285@newsfep1-win.server.ntli.net>,
Kevin Ratcliffe <kevin.ratcliffe@ntlworld.com> wrote:

: I am attempting to write a script that can add email accounts that my
: boss can use, with a nice html interface. I've done the easy bit,
: creating the form. I was going to write a script that writes all the
: user details to a file, and then a cron job runs another script that
: reads the file and adds the account. But I would like something more
: immediate. But the CGI scripts do not have the priveliges to create
: accounts. I understand that there will be great security risks in
: having the script run suid. Has anybody any ideas?

It would almost certainly be better to leave the two separate. One
way to increase responsiveness would be to run a daemon that watches
some rendezvous point rather than your current cronjob. Your privileged
account creater *must* treat its input as untrusted.

Please, please, please be *very* careful. Read the perlsec manpage
several times. Turn on taint checking. Check your input thoroughly.
Borrowing a vivid description from Ross Anderson[*], you're now
programming Satan's computer. Keep that in mind.
[*] See [url]http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/satan.pdf[/url]

Greg
--
This advice is not a substitute for independent thought
-- Mark-Jason Dominus, "Program Repair Shop"