Design Advise: Sending signals to daemons through HTTP

I'm using Apache on Ubuntu开发者_运维技巧. I have a Perl script which basically read the files names of a directory, then rewrites a text file, then sends a signal to a daemon. How can this be done, as secure as possible through a web-page?

Actually I can run a simplified cgi in the code below, but not if I remove the comments. I'm looking for advise considering any of:

• Using HTTP Requests?
• How about Apache file permissions on the directory shown in code?
• Is htaccess enough to enable user/pass access to the cgi?
• Should I use a database instead of writing to a file and run a cron querying the db with permission granted to write and send the signal?
• Granting as less permissions as possible to the webserver.
• Should I set a VPN?

#!/usr/bin/perl -wT
use strict;
use CGI;
#@fileList = </home/user/*>; #read a directory listing
my $query = CGI->new();

print $query->header( "text/html" ),
$query->p( "FirstFileNameInArray" ),
#$query->p( $fileList[0] ), #output the first file in directory
$query->end_html;

Presumably, the error you're getting from the commented lines is a permission denied when trying to read the /home/user directory. The way to fix this is (surprise, surprise) to give the apache user[1] to read that directory. There are three primary approaches to doing this:

1. In most environments, there's really no good reason to hide all filenames within a user's home directory, so you could make the directory world-readable with chmod a+r /home/user. Unless you have a specific reason to prevent the general public from knowing the names of the files in the user's home directory, I'd tend to recommend this approach.

2. If you want to be a bit more restrictive about it, you could change /home/user to be owned by a group which the apache user belongs to (or add the apache user to the group that currently owns /home/user) and then set /home/user to be group-readable. This will make it accessible to all members of that group, but not the general public.

3. If you need to have standard filesystem permissions applied to web access, you can look at configuring suexec so that individual requests can take on permissions of users other than the apache user. This is normally the user who owns the code which is being run to handle the request (e.g., in this case, the user who owns your directory-listing script), but, if you're using htaccess-based authentication, it may be possible to configure suexec to decide which user's permissions to take on based on what user you log in as. (I avoid suexec myself, so I'm not 100% certain if this can be done and have no idea how to go about it if it can.)

[1] ...by which I mean the user that apache is running as; depending on your system config, this user may be named "apache", "httpd", "nobody", "www-data", or something else entirely.