NAME

Sudo - Perl extension for running a command line sudo

SYNOPSIS

  use Sudo;
  my $su;
  
  $su = Sudo->new(
  		  {
		   sudo 	=> '/usr/bin/sudo',
		   sudo_args	=> '...',		   		   
		   username	=> $name, 
		   password	=> $pass,
		   program	=> '/path/to/binary',
		   program_args	=> '...',
		  # and for remote execution ...

		  [hostname	=> 'remote_hostname',]
		  [username	=> 'remote_username']

		  }
		 );
   
  $result = $su->sudo_run();
  if (exists($result->{error})) 
     { 
       &handle_error($result); 
     }
    else
     {
       printf "STDOUT: %s\n",$result->{stdout};
       printf "STDERR: %s\n",$result->{stderr};
       printf "return: %s\n",$result->{rc};
     }
  

DESCRIPTION

Sudo runs commands as another user, provided the system sudo implementation is setup to enable this. This does not allow running applications securely, simply it allows the programmer to run a program as another user (suid) using the sudo tools rather than suidperl. Suidperl is not generally recommended for secure operation as another user. While sudo itself is a single point tool to enable one user to execute commands as another sudo does not itself make you any more or less secure.

Warning: This module does not make your code any more or less secure, it simply uses a different mechanism for running as a different user. This requires a properly configured sudo system to function. It has all the limitations/restrictions of sudo. It has an added vulnerability, in that you may need to provide a plain-text password in a variable. This may be attackable. Future versions of the module might try to address this.

This module specifically runs a single command to get output which is passed back to the user. The module does not currently allow for interactive bidirectional communication between the callee and caller. The module does not spool input into the callee.

Methods

new

The new function creates a new object instance and sets the attributes of the object as presented in a hash form. Relevant attributes are formed as key => value pairs in a hash as follows:

username => $username

Name of the user that will be used to run the command. Equivalent to the -u username option to sudo. Note: You may use #uid rather than the username.

sudo => $sudo_binary

Fully qualified path to sudo. No whitespace allowed. This should be a single continuous string with path separators, and should include the sudo binary file name. E.g. under various Linux, this attribute might be set as sudo = '/usr/bin/sudo'>.

sudo_args => $sudo_args

Any additional sudo arguments you would like to use for the program you are trying to run.

program => $program

Fully qualified path to program binary you wish to run. No whitespace allowed. This should be a single continuous string with path separators, and should include the program binary file name.

program_args => $program_args

Arguments to pass to program you wish to run.

sudo_run

The sudo_run function first checks the attributes to make sure the minimum required set exists, and then attempts to execute sudo without shell interpolation. You will need to take this into account in case you get confusing failure modes. You may set the debug attribute to 1, 2, or 3 to get progressively more information.

The object will return a hash. The hash will have state information within it. If the C'error' key exists, an error occured and you can parse the value to see what the error was. If the run was successful, C'stdout' key exists, and its value corresponds to stdout output from the program run by sudo. Similarly the C'stderr' key will exist for a successful run, and the value corresponds to stderr output from the program run by sudo. The C"rc" key will also be defined with the programs return code.

TODO

I/O currently this is a fancy way to run a command as another user without being suid. Eventually it may evolve to have IO:: goodness, or similar functionality.

BUGS

As this module depends upon IPC::Run, it has all the bugs/limitations of IPC::Run. Spaces in file names, executables, and other odd items which give IPC::Run fits, will give Sudo fits. We would like to fix this, but this requires fixing IPC::Run.

Insecurity as a bug. Security is not a product or feature. It is a process. If your systems are grossly insecure to begin with, using Sudo will not help you. Good security practice (not draconian security practice) is recommended across all systems. Basic common sense on services, file ownership, remote access, and so forth go a long way to helping the process. Start with the basics. Work from there.

SEE ALSO

sudo(8), perl(1), IPC::Run, a good book on locking down a system

AUTHOR

Joe Landman, landman@scalableinformatics.com, http://www.scalableinformatics.com

COPYRIGHT AND LICENSE

Copyright (C) 2004,2005 by Scalable Informatics LLC

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8 or, at your option, any later version of Perl 5 you may have available.