Spawning perl script as another user 1

[andy7t]

I'll go through what i am doing, so that it will become clearer.

I've got a 'master' server, and i've got several 'slave' servers.
These slave servers are gaming machines.

The master server has got some perl scripts that tell the slave server (via SOCKETS:INET and the Webserver script on the slave servers) to perform certain actions (like start/restart gaming servers).

So, for example.
On the main server, if i want to restart a remote game server, the main server will use Sockets INET to communicate with a port on the GAMING (Slave) server to tell it to restart.

The webserver on slave checks the key to make sure that just anyone is sending data, and then executes:

system('./home/username/control restart');
This restarts the game server.
However, the game server is now running as root, since webserver.cgi is running as root.
Since there are many 5 or 6 game servers per machine, i would like the game server to be run as it's owners username.

Is this possible.
The things that the webserver needs to do is quite lenghtly, so putting them all in sudoers will basically include everything , from adduser/userdel, reboot, cp to other directorys, mv etc etc. Therefore webserver.cgi needs to be run as root.

The only option i could think of at the moment, was to create another script with a 'listen' port in every users directory, and have that running as the user, and then the webserver contacts that script to perform the action. But that's very long winded :-(.

Surely there is another way?

 

[TrojanWarBlade]

What is /home/username/control ?
Is it a perl script? A C++ program? Is it a shell script even?
What does it do and how does it work?
I think that is our starting point.


Trojan.

 

[andy7t]

Ah right.
Should have mentioned that.
It's a shell script.

It firstly creates a new screen (as in the linux SCREEN command), and then executes a script (it could be any language) which is the actual game server script (for example ./hlds_run for counter strike).

Maybe this is a shell question more than perl, but please help

 

[TrojanWarBlade]

If it were a PERL script you would change userid and groupid like this:

$( = $groupid;
$) = $groupid;
$< = $userid;
$> = $userid;

Assuming that you have the permissions to do so (probably means that you need to be root to do this).
You can check to see if it worked by comparing $< with $userid.


Trojan.

 

[andy7t]

Thanks, that looks just about what i'm after, but little point- where do i put it?

I've created a new perl script that just calls the start server script. Is this right?

#!/usr/bin/perl
$username=$ARGV[0];

# Do i put the change username here?
$> = "$username";

print "My username is $<\n";

$script=`./control start`;

 

[TrojanWarBlade]

Please always "use warnings". It'll reduce the risk of your missing something.
If you can, always "use strict" too.
The '$> = "$username";' firstly doesn't need quotes and secondly needs to be the userID, not the username and thirdly, you will almost certainly need to set the GroupID first as I showed you.


Trojan.

 

[andy7t]

OK, i've tried this, but i'm having problems with group.

I've tried just this as root:

print "Username: $< of group: $( \n";
AND

print "Username: $< of group: $)\n";

Both times it just returns:
Username: 0 of group: 0 10 6 4 3 2 1 0

 

[andy7t]

Sorry!! Ignore that.

DRRRR! That's the groups it belongs to.
Woops.

 

[andy7t]

I'm having a few problems getting which one does which.

$< does this SET userid or read??
$) does this SET groupid or read?

Can you write how i would change userid to 502 and group to 502 and then check its changed :-S

 

[andy7t]

Figured it out, but no joy with the start.

The Perl script is running as the correct user, but any process that it spawns is root again.
The shell script it spawns is running as root :-(

 

[TrojanWarBlade]

my $userid = 502;
my $groupid = 502;
$( = $groupid;
$) = $groupid;
$< = $userid;
$> = $userid;
die "Failed to change UID" unless($< == $userid);

Try that. You can get $userid and $groupid from wherever you like (command line params or a hash lookup or the /etc/passwd file and /etc/group files).


Trojan.

 

[andy7t]

Ah!!!!!!!

Bingo.

I see what it does now.

I didn't set $>.
I guess that $> means that all processes coming off it are running as that user too?
Well, even if it doesn't it does now

When i did $< the process spawned off it was root again, but now it's the correct user!!!

Thanks!