Execute tcl script from website as different users

0
votes

I'm building a website which will run tcl scripts in the background.

I have few tcl scripts which I would like to call from my website and execute it. I'm designing the page using PHP in Linux/Apache server. I have few users who would be executing these scripts, but these scripts should be executed as that user and not the webuser (_www) as the tcl script will automatically send reports in the end to the user who executed it.

One option I thought was to change user (su) and then execute the script through shell_exec, but I see some security issues with this.

So is there better approach to this?

2
phpwebtcl
possible duplicate of Running exec as a different useruser557846

2 Answers

1
votes

I'd execute the scripts with sudo, you can configure so that your WWW user can execute 1 single command (your tcl script) under the other users without requiring a password.

See this for some reference about sudo (esp the configuration section)

0
votes

A Tcl-specific solution to this might be to build your Tcl scripts into starpacks — single-file executables — that you then make owned-and-setuid by the user that you want them to run as. This only works for the case where you want the user to be the owner of the script, and not some other user who has logged in over the internet. That latter case is much harder to get right (due to the complex mess of security issues involved), so much so that people deploy entire application infrastructures to deal with it.

Have you considered suEXEC?