将用户权限从PHP / Apache传递到Perl脚本
[英]Passing user privileges from PHP/Apache to a Perl script
问题描述
I am a fairly new PHP coder. 
我是一个相当新的PHP编码器。 I have an Apache server running PHP 4.3.9 on which I am trying to bang up a small tool for our internal users. 我有一台运行PHP 4.3.9的Apache服务器,在该服务器上,我试图为内部用户使用一个小工具。 The tool is structured in the following way: PHP code ---calls---> Perl script ---accesses---> File on a protected file system 该工具的结构如下:PHP代码---调用---> Perl脚本--- accesses --->受保护文件系统上的文件
When you open up the .php page in the browser, authentication is automatic. 在浏览器中打开.php页面时,身份验证是自动的。 It is taken care of in the background by, I believe, LDAP. 我相信LDAP是在后台处理的。 $_SERVER["PHP_AUTH_USER"] & $_SERVER["PHP_AUTH_PW"] get populated automatically and correctly. $ _SERVER [“ PHP_AUTH_USER”]和$ _SERVER [“ PHP_AUTH_PW”]自动正确填充。
If I run a whoami in my PHP code, then I see the user as 'apache'. 如果我在PHP代码中运行whoami,则将用户视为“ apache”。 So the Perl script is called in the context and with the privileges of user 'apache'. 因此,在上下文中以用户“ apache”的权限调用Perl脚本。 These privileges are used to access the file on the protected file system. 这些特权用于访问受保护文件系统上的文件。 'apache' doesn't have the required privileges to access this file & the Perl script fails. “ apache”没有访问此文件所需的特权,并且Perl脚本失败。 If I SSH to this server and run the Perl script directly on the shell, it works without any problems because it runs under my user privileges. 如果我通过SSH连接到该服务器并直接在Shell上运行Perl脚本,则该脚本可以正常运行,因为它在我的用户权限下运行。
What I want to do is to run the Perl script with the privileges of the already authenticated user. 我想要做的是使用已经通过身份验证的用户的特权运行Perl脚本。 I can probably figure out a way to just pass $_SERVER["PHP_AUTH_USER"] & $_SERVER["PHP_AUTH_PW"] to the Perl script as an argument and the use it to access the file. 我大概可以想出一种方法,将$ _SERVER [“ PHP_AUTH_USER”]和$ _SERVER [“ PHP_AUTH_PW”]作为参数传递给Perl脚本,并使用它来访问文件。 I was wondering if there is a better way to do it. 我想知道是否有更好的方法。
Any recommendations? 有什么建议吗? Thanks in advance! 提前致谢!
1 个解决方案
解决方案1
0 已采纳 2013-08-14 08:23:41
There's lots of ways to do this - the trick is doing it securely. 有很多方法可以做到这一点-诀窍就是安全地做到这一点。
Ultimately the Perl script has to run with a different uid than the webserver. 最终,Perl脚本必须使用与Web服务器不同的uid来运行。 You've not said whether it's practical to change the code of the perl script. 您没有说过更改perl脚本的代码是否可行。 Possible solutions are: 可能的解决方案是:
1) amend the Perl script to run as a daemon, allowing socket connections to invoke from your PHP code - since you want to run it potentially as multiple users then it would need to run as root and know how to authenticate the credentials sent to it. 1)修改Perl脚本以使其作为守护程序运行,从而允许套接字连接从您的PHP代码中调用-由于您可能希望以多个用户身份运行它,因此它将需要以root用户身份运行并知道如何验证发送给它的凭据。
2) configure sudo on the system to allow the webserver uid to run the Perl script as a different user and prompt for authentication 2)在系统上配置sudo,以允许Web服务器uid以其他用户身份运行Perl脚本并提示进行身份验证
3) configure [x]inetd to listen on a specific port and run the script as the desired uid when your PHP code connects - again this needs to start as root, validate the credentials and setuid() but doesn't need to run as a daemon. 3)配置[x] inetd以侦听特定端口,并在连接PHP代码时将脚本作为所需的uid运行-再次需要以root身份启动,验证凭据和setuid(),但无需以一个守护程序。
4) use the ssh extensions in PHP to create a ssh connection to localhost as the desired user and run the script 4)使用PHP中的ssh扩展名以所需用户的身份创建与localhost的ssh连接并运行脚本
(I don't see how invoking it via crontab provides for privilege seperation). (我看不出通过crontab调用它如何提供特权分离)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.