On Nov 16, 2007 11:16 AM, James Olin Oden <james.oden at gmail.com> wrote: > On 11/16/07, Alfred von Campe <alfred at von-campe.com> wrote: > > On Nov 16, 2007, at 9:55, Marc Wiatrowski wrote: > > > > > Being aware of the security implications, do you have > > > perl-suidperl-X.rpm installed? > > > > I meant I was aware of the implications of running setuid scripts. I > > was not aware that CentOS' upstream provider had packaged suidperl > > separately. Installing this package solved my problem. However, I > > am pursuing an sudo solution at the moment that may work even better > > for me. > > > setuid scripts are not by their nature bad as some would propose. As > a matter of fact without using a system with mandetory access controls > like SELinux, they can be effective tools to enhance overal security > provided you follow some simple > guidelines quite rigorously: > > - As soon as you start de-elevate your privileges. > - Only elevate your privileges for as long as you need to (as an example > one may need root to open certain files, but once its opened you do > not need root to read and write the file). > - Try to keep the setuid program as simple as possible. If there > is a point where > it can throw away its privileges forever then do so. > - Be very rigorous in determining that a user in the current > context they are in > should be using the setuid script. > > I think the key word in alll that is "rigor" and though not used, "aware". > > Cheers...james > Good suggestions. Also keep in mind that you don't always suid to root. You can also suid to another user (which seems to be the case here).