12592

Perl system calls when running as another user using sudo

I have developed a perl script which provides a menu driven functionality to allow users to carry out some simple tasks.

I need the users to be able to carry out tasks such as copying files (keeping the current date and permissions), running other programs (such as less or vi) as a different user. The script uses alot of use of the system() function. I want the users to start the menu by calling:

sudo -u perluser /usr/bin/perl /data/perlscripts/scripta.pl

This should start the script as perl user, which it does, and then carry out different tasks depending on what the user selects. The problem is that whenever I use a system call such as

system("clear");

I get the following error

Can't exec "clear": Permission denied at /data/perlscripts/scripta.pl line 3

If I run the script by logging in as perluser then it all runs succesfully.

Is there any way to get this working? I do not want users to be able to log in as perluser as I need to control what they are able to run. I also do not want to run a command like

system("sudo -u perluser clear");

as I would then require a different team to set up all the sudo commands I wanted to run (which they will probably refuse to do) and this would not be scalable if I have to add extra commands at somepoint.

Thanks,

Answer1:

I think you probably need to add the -i option ("simulate initial login") to sudo:

sudo -i -u perluser /usr/bin/perl /data/perlscripts/scripta.pl

That will ensure that .profile or .login or whatnot is run properly, and therefore that $PATH is set up properly and so on. It will really be, in almost all respects, as if perluser were actually logging in and running /usr/bin/perl /data/perlscripts/scripta.pl at the shell.

Answer2:

I know that this is a slightly different approach, but couldn't you set perluser's shell to /data/perlscripts/scripta.pl? This would avoid the headaches usually associated with sudo configuration if you have multiple machines. The end user would simply use login perluser instead of sudo. When you script exits, the login session will go away. No need to provide any more of a jail than this right?

<strong>Alternate (and maybe correct) Answer</strong>

I think that the root of the problem is that Perl's exec does not use a shell in most cases. This means that "clear" is meaningless since the shell is what implements searching through $PATH to find the command. Here is the relevant perldoc from system. Note the emphasis.

o <strong>system</strong> LIST

o <strong>system PROGRAM LIST</strong>

Does exactly the same thing as exec LIST</kbd>, except that a fork is done first and the parent process waits for the child process to exit. Note that argument processing varies depending on the number of arguments. If there is more than one argument in LIST, or if LIST is an array with more than one value, starts the program given by the first element of the list with arguments given by the rest of the list. If there is only one scalar argument, the argument is checked for shell metacharacters, and if there are any, the entire argument is passed to the system's command shell for parsing (this is /bin/sh -c on Unix platforms, but varies on other platforms). <strong>If there are no shell metacharacters in the argument, it is split into words and passed directly to execvp</kbd> , which is more efficient.</strong>

Try changing system("clear") to either system("/usr/bin/clear") or system("clear;").

Recommend

  • No output from IIO (character) device output - IIO buffer
  • std::experimental::ostream_joiner and std::pair
  • save with many-to-many relationship in django problem [duplicate]
  • How to access element like with simplexml?
  • add an element to a node, if it doesnot exist
  • Error(5,3): PLS-00103: Encountered the symbol “BEGIN” when expecting one of the following: language
  • How can I open a Windows CMD window for Perl and run a command?
  • Is there anything wrong with using requires after output starts printing?
  • How to render a pixel array most efficiently to a window in c++?
  • Using Laravel 5.4 pusher
  • netsh acl setting (need alternative method - registry settings?)
  • Detecting null parameter in preprocessor macro
  • Azure webjobs output logs indexing taking very long
  • ThreadStatic in asynchronous ASP.NET Web API
  • ViewController With Transparent Background Entering Current ViewController With Push Transition
  • Assign variable to the value in HTML
  • How to use carriage return with multiple line?
  • FB SDK and cURL: Unknown SSL protocol error in connection to graph.facebook.com:443
  • Using $this when not in object context
  • C# - Is there a limit to the size of an httpWebRequest stream?
  • Is my CUDA kernel really runs on device or is being mistekenly executed by host in emulation?
  • How do I fake an specific browser client when using Java's Net library?
  • How reduce the height of an mschart by breaking up the y-axis
  • DirectX11 ClearRenderTargetViewback with transparent buffer?
  • Can a Chrome extension content script make an jQuery AJAX request for an html file that is itself a
  • Upload files with Ajax and Jquery
  • SVN: Merging two branches together
  • Hibernate gives error error as “Access to DialectResolutionInfo cannot be null when 'hibernate.
  • Matrix multiplication with MKL
  • AngularJs get employee from factory
  • Proper way to use connect-multiparty with express.js?
  • Hits per day in Google Big Query
  • How to CLICK on IE download dialog box i.e.(Open, Save, Save As…)
  • Change div Background jquery
  • Can Visual Studio XAML designer handle font family names with spaces as a resource?
  • File not found error Google Drive API
  • How does Linux kernel interrupt the application?
  • Busy indicator not showing up in wpf window [duplicate]
  • Converting MP3 duration time
  • Why do underscore prefixed variables exist?