How to successfully run Perl script with setuid() when used as cgi-bin?

Question

I have a Perl script that is called either via Apache or on the command-line.

For testing purposes, I pass it the username I want the Perl script to operate with, an

Answer 1

The only way you can setuid to an arbitrary uid is to run as root.[1]

I don't know about you, but the idea of a CGI program running as root gives me nightmares.

What is this code supposed to actually do after changing uid? Perhaps there's a way to accomplish this without having to setuid?

[1] Depending on your code and its security model, you may be able to collect the user's password and use su/sudo[2] to run a separate command-line program to run the actual operations outside of the web server environment, but su/sudo are able to do this because they're suid root and it would still open up most/all of the issues associated with running CGI code as root anyhow. Even if you filter out root as an invalid username, being able to masquerade as any arbitrary user opens up plenty of opportunities for abuse.

[2] sudo could even be configured to allow it without requiring a password, but there be dragons down that path. Be sure you know what you're doing if you attempt it, lest you give your users free reign to impersonate each other at will.