good style for remote file edits in Perl?
Results 1 to 6 of 6

Thread: good style for remote file edits in Perl?

  1. #1
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670

    good style for remote file edits in Perl?

    I've been given a task to write a perl script that can update a file containing system names on a remote system. This file is of critical importance for an application running on the remote system, so I want to make this thing as bulletproof as possible. I'm looking for any suggestions as to the best way to do this.

    I have SSH authorization keys already in place on the local and remote system, and the Net::SSH and Net::SCP modules to interact with SSH. What do you think is the best way to do this? Should I pull the file down first, modify it, and then push it back, or should I try to modify it on the remote server directly? Any other pitfalls I should be wary of?
    /* You are not expected to understand this. */

  2. #2
    Member
    Join Date
    Jun 2004
    Posts
    77

    Re: good style for remote file edits in Perl?

    Originally posted here by roswell1329
    I've been given a task to write a perl script that can update a file containing system names on a remote system. This file is of critical importance for an application running on the remote system, so I want to make this thing as bulletproof as possible. I'm looking for any suggestions as to the best way to do this.

    I have SSH authorization keys already in place on the local and remote system, and the Net::SSH and Net::SCP modules to interact with SSH. What do you think is the best way to do this? Should I pull the file down first, modify it, and then push it back, or should I try to modify it on the remote server directly? Any other pitfalls I should be wary of?
    you can try Net::Telnet module or a more easier way is to use Expect.

  3. #3
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    Thanks, ghostmachine. The problem isn't the interface to work with the files, it's really just a question of style -- which would be considered better from a security standpoint. I can use the File::Remote module to edit the files in-place on the remote server, or I can use Net::SCP to copy the file down, edit it, and then push it back. Which would you prefer?
    /* You are not expected to understand this. */

  4. #4
    Member
    Join Date
    Jun 2004
    Posts
    77
    Originally posted here by roswell1329
    Thanks, ghostmachine. The problem isn't the interface to work with the files, it's really just a question of style -- which would be considered better from a security standpoint. I can use the File::Remote module to edit the files in-place on the remote server, or I can use Net::SCP to copy the file down, edit it, and then push it back. Which would you prefer?
    If you have no choice but to use these 2 methods, then
    I would prefer using File::Remote module to do what you want. (Think there's also an option to specify the path of the scp program, not too sure, you have to check it out).

    but if you have other choices, why not
    run the script on the actual server itself and not being executed from another machine... :-)

  5. #5
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I'm not sure. They both sound like good solutions. I was going to say that if it's a huge file I would download it, edit it, then upload it. But then I thought, what if you only need to make a few changes? Then it might be better to edit in place if it's a bigger file. Or is the idea to completely rewrite the file each time? Eh, I think whichever route you take it'll work fine. A good idea might be to download it for backup but edit it also on the server, then download it under a different name after editing. Then you'll be covering yourself pretty well if something goes wrong. I guess if you're not supposed to have the file on your computer that won't work though. Good luck anyway.

  6. #6
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    I prefer to download the file.

    It's a *nix box, right? I'm sure you have secured the remote server, but here's what comes to my mind.

    Assumptions:
    - The application account is appl:appl
    - The scp account is update:update
    - You are you@yourhost
    - The updater is update@updatehost

    Create the following directories in the home directory of the update user:
    d-wxrwx--- 2 update appl 0 Mar 30 11:20 incoming
    dr-xrwx--- 2 update appl 0 Mar 30 11:30 outgoing
    -r--r--r-- 1 update appl 500 Mar 30 11:40 readme.txt

    Make sure the update user can't cd to its parent directories.

    sshd options:
    AllowUsers you@yourhost update@updatehost
    DenyGroups appl
    PasswordAuthentication no
    PermitRootLogin no
    Protocol 2

    When the file is ready for updating, the application is responsible to copy it to the outgoing directory.
    An application (a user) on the updatehost will monitor the outgoing directory and download it if it exists.
    After editing locally, the updater will push it back to the incoming directory of the remote server.
    The application will monitor the contents of the incoming directory, copy the updated file to its original location, delete the copies in both outgoing and incoming directory.
    Did I mention backups?

    Hope it's not too complicated. The idea is to not allow any remote users access the application's directories/files directly. Any comments are welcome.

    Peace always,
    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •