如何在Linux中以root权限运行脚本
我必须开发一个用 CGI 编写的网站。
我想知道如何从 CGI 运行具有 root 权限的脚本。
假设脚本名称是 hello,我从 CGI 运行它,例如 system("pathToTheFile/hello")。
现在我想以 root 身份运行这个 hello 文件;有人可以帮我吗?
I have to develop a Web site written in CGI.
I would like to know how to run a script with root authority from CGI.
Let's say the script name is hello, I run it from CGI like system("pathToTheFile/hello").
Now I would like to run this hello file as root; can anybody help me with this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
一般来说,执行此类操作的最安全方法是使用类 UNIX 操作系统的 setuid 功能。如果将
hello程序的所有者设置为root,然后设置setuid位:那么无论谁执行该程序,它将以 root 身份执行。这适用于本机可执行文件,但不适用于解释脚本。如果“你好”必须是一个脚本,那么这对你不起作用。
现在,我不得不说,一般来说,setuid root 程序并不是一个好主意。通常,您可以创建一个特殊用户来拥有该脚本,并为该用户提供一些所需的有限权限,然后将脚本 setuid 给该用户。
Generally the safest way to do this kind of thing is to use the setuid feature of UNIX-like OSs. If you set the owner of the
helloprogram to beroot, and then set the setuid bit:Then no matter who executes the program, it will execute as root. This works for native executables, but not for interpreted scripts. If "hello" has to be a script, then this won't work for you.
Now, I have to say that in general, setuid root programs aren't a great idea. Often you can create a special user to own the script, and give that user some limited privileges needed, and then make the script setuid to that user.
以 root 身份从网页执行操作的一种更安全的方法是断开程序执行与网页的连接。相反,请使用 Unix 本地套接字、命名管道或排队作业目录。
目录可能是最容易处理的。设置您的网页可以写入文件的目录。当您的页面需要完成某些操作时,请编写一个描述该作业的文件。然后你就有一个以 root 身份运行的程序等待新的作业。如果需要快速响应,它可以连续运行,也可以使用 crontab 条目每分钟或每隔几分钟运行一次。
A much safer method of doing things as root from a web page is to disconnect the program execution from the web page. Instead, use Unix local sockets, named pipes, or a directory of queued jobs.
The directory is probably the easiest to handle. Set up a directory that your web page can write files into. When your page needs something done, write a file describing the job. Then you have a program running as root waiting for new jobs. It can run continuously if it needs fast response or it can run every minute or every few minutes using a crontab entry.
正常的方法是让可执行文件归您要运行它的用户所有,然后设置 SUID 一点。
使用 sudo 的方法通常需要用户输入密码(有很多方法可以解决这个问题,但它们非常复杂)。
我想我不需要提及设置 SUID 位是一件非常危险的事情,是吗?如果有任何其他方法可以实现您想要的功能,您应该使用它。
您可能需要考虑的一件事是,不要根据您需要的解决方案,而是根据您想要解决的问题提出问题。以 root 身份运行是一种解决方案,但不一定是好的解决方案。发布您想要实现的目标而不是如何实现,我们可以以危险得多的方式帮助您。
The normal method would be to have the executable file owned by the user you want to run it as, then set the SUID bit.
The method of using
sudousually requires user input for the password (there are ways around this but they're hideously complex).I suppose I don't need to mention that setting the SUID bit is a very dangerous thing to do, yes? If there's any other way to do what you want, you should use it.
One thing you may want to consider is to pose the question not in terms of the solution you need but in terms of the problem you want solved. Running as root is a solution and not necessarily a good one. Post what you're trying to achieve rather than how, and we can help you out in a far less dangerous way.