Perl Perl script to run as root (generalized)

[Bill Evans at Mariposa]

I would like to be able to run certain Perl scripts on my system as root, even though the "user" calling them is not running as root.

For each script I can write a C wrapper, setting setuid root for that wrapper; the wrapper would change the UID to 0 and then call the Perl script, which itself would not have the setuid bit set. This avoids unfortunate impediments while attempting to run setuid root Perl scripts.

But I don't want to write a C wrapper for each script. I just want one C wrapper to do the job for the whole system. I also don't want just any script to be able to use this C wrapper; the C wrapper itself should be able to check some specific characteristic of the Perl script to see whether changing the UID to root is acceptable.

I know the risks, I own the system, and I don't want something arbitrarily babysitting me by standing in my way.

To save some discussion time, prior discussion of this question on stackoverflow can be found here.

 

[SirDice]

You do know security/sudo exists?

 

[Bill Evans at Mariposa]

You do know security/sudo exists?

Yes (but it was nonetheless good for you to mention it). The goal is to be able to make a script eligible to be run as root just by changing something about the script itself, without having to update any configuration files and such. This sounds picky, but over the long haul, the more simplified each tiny task (such as root-enabling a Perl script) is, the more simple the overall administration of a system becomes.

 

[Bill Evans at Mariposa]

After some brainstorming:

All the requirements can be met through the following steps. First we show steps which are done just once.

Step one. Since each script which should be run as root has to be marked by user root somehow (otherwise, just any user could do this), the system administrator takes advantage of his privileged status to choose a user ID which will never actually be assigned to anyone. In this example, we use user ID 9999.

Step two. Compile a particular C wrapper and let the object code run suid root. The source code for that wrapper can be found here.

Then, the following two steps are done once for each Perl script to be run as root.

Step one. Begin each Perl script with the following code.

if($>)
{
  exec { "/path-to-wrapper-program" }
       ( "/path-to-wrapper-program",$0,@ARGV);
}

Step two. As root (obviously), change the owner of the Perl script to user 9999. That's it. No updating of databases or text files. All requirements for running a Perl script as root reside with the script itself.

Comment on step one: I actually place the above Perl snippet after these lines:

use strict;
use warnings FATAL=>"all";

... but suit yourself.