setuid

Ivan Kohler ivan at sisd.com
Sun Dec 13 00:11:03 PST 1998 

On Sat, Dec 12, 1998 at 11:04:21PM -0700, Jay wrote:
> On Sat, 12 Dec 1998, Ivan Kohler wrote:
> 
> > 
> > I believe Linux 2.0.x ignores the suid bit on scripts.  Perl provides
> > setuid emulation - see the perlsec manpage for details.  On Debian, I
> > install a separate package `perl-suid' to enable this.  I would imagine
> > that Slackware has a similar package.  (With OS's that don't include Perl
> > you need to recompile it.) 
> 
> My distro did include Perl5.

It probably includes Perl suid emulation in a separate package than the
normal Perl package.

> I checked out the perlsec manpage, but that
> recommended that I should rename all of the CGI scripts and then create
> small C wrappers (with the original script name) to be setuid to call the
> newly named CGI. While I am sure that is a possible (but pain in the neck)
> solution, there has to be an easier/better way. :)

The better way is Perl's setuid emulation, also mentioned in the perlsec
manpage.  If your distribution does not include this option (I'd be _very_
surprised if Slackware didn't), then you will need to recompile Perl.

> I did try the perlsec
> method on the cust_main.cgi script, however when I executed the new C code
> that calls the original CGI script, it complains that setuid is still
> allowed in my kernel. Unfortunately, I am not enough of a coder to get
> into the kernel source and try to track that down.
>
> This brings me to a couple of questions: #1) how to I disable the setuid
> stuff in the kernel so that the perlsec method will work?

Linux 2.0.x ignores the setuid bit on scripts, which is fine.  Perl
provides setuid emulation.  You don't need to change anything in your
kernel.

> #2) will I need
> to create a C wrapper for _every_ setuid CGI script in the FreeSide
> package?

That's one possible solution, yes.

> Finally, #3) where can I get information about that perl-suid
> package?

That's the name for a Debian package.  Check your distributions's
documentation for the equivalent.

> > Are you sure?  *scripts*, not ELF executables?  What language?
> > 
> 
> Hmmm...good point. I just tested it with a quick bash shell script. It did
> not work. The script was setuid to user 'jay' but when I executed it (as
> user 'root') it ran as 'root'. Thus, it would seem that all of my other
> setuid stuff are ELF binaries. 
> 
> So, now that I know my kernel will not support suid scripts, and I do not
> have the perl-suid pagkage, and the perlsec method (making C wrappers for
> every suid CGI) doesn't work because of something still enabled in my
> kernel -- any ideas? :) Thanks for the help. 

-- 
Ivan Kohler <ivan at sisd.com> - finger for PGP key - <moc.dsis at navi> relhoK navI
Open-source billing and administration for ISPs - http://www.sisd.com/freeside
20 4,16 * * * saytime # please don't be surprised if you find me dreaming too

More information about the freeside-users mailing list