setuid

Sun Dec 13 20:38:56 PST 1998

Jay wrote:

> Well, some progress. I found a binary called 'suidperl' -- however, there
> is no man page for it, and I cannot find any information about how to use
> it. Any pointers?
>

Well I had a similar problem because in my Suse 5.3 the suidperl did not have suid
root(under the SuSE installation option secure). When perl has the setuid bit set
on its scripts it
automatically executes suidperl. After changing suidperl to "4755 owner root" the
CGI's worked fine.

Christian

> ~Jay
>
> On Sun, 13 Dec 1998, Ivan Kohler wrote:
>
> > > My distro did include Perl5.
> >
> > It probably includes Perl suid emulation in a separate package than the
> > normal Perl package.
> >
> > > I checked out the perlsec manpage, but that
> > > recommended that I should rename all of the CGI scripts and then create
> > > small C wrappers (with the original script name) to be setuid to call the
> > > newly named CGI. While I am sure that is a possible (but pain in the neck)
> > > solution, there has to be an easier/better way. :)
> >
> > The better way is Perl's setuid emulation, also mentioned in the perlsec
> > manpage.  If your distribution does not include this option (I'd be _very_
> > surprised if Slackware didn't), then you will need to recompile Perl.
> >
> > > I did try the perlsec
> > > method on the cust_main.cgi script, however when I executed the new C code
> > > that calls the original CGI script, it complains that setuid is still
> > > allowed in my kernel. Unfortunately, I am not enough of a coder to get
> > > into the kernel source and try to track that down.
> > >
> > > This brings me to a couple of questions: #1) how to I disable the setuid
> > > stuff in the kernel so that the perlsec method will work?
> >
> > Linux 2.0.x ignores the setuid bit on scripts, which is fine.  Perl
> > provides setuid emulation.  You don't need to change anything in your
> > kernel.
> >
> > > #2) will I need
> > > to create a C wrapper for _every_ setuid CGI script in the FreeSide
> > > package?
> >
> > That's one possible solution, yes.
> >
> > > Finally, #3) where can I get information about that perl-suid
> > > package?
> >
> > That's the name for a Debian package.  Check your distributions's
> > documentation for the equivalent.
> >
> > > > Are you sure?  *scripts*, not ELF executables?  What language?
> > > >
> > >
> > > Hmmm...good point. I just tested it with a quick bash shell script. It did
> > > not work. The script was setuid to user 'jay' but when I executed it (as
> > > user 'root') it ran as 'root'. Thus, it would seem that all of my other
> > > setuid stuff are ELF binaries.
> > >
> > > So, now that I know my kernel will not support suid scripts, and I do not
> > > have the perl-suid pagkage, and the perlsec method (making C wrappers for
> > > every suid CGI) doesn't work because of something still enabled in my
> > > kernel -- any ideas? :) Thanks for the help.
> >
> > --
> > Ivan Kohler <ivan at sisd.com> - finger for PGP key - <moc.dsis at navi> relhoK navI
> > Open-source billing and administration for ISPs - http://www.sisd.com/freeside
> > 20 4,16 * * * saytime # please don't be surprised if you find me dreaming too
> >
>
> - J a y   J a c o b s o n
> - - - - - - - - - - - - - - - - - -
> - jay at kinetic.org   www.kinetic.org
>
> Quantum Mechanics: The dreams stuff is made of.

--
Christian J Knoepfel Eva
Phoenix Integration
Rosebank Business Park
333 Crumlin Road, Belfast, BT14 7EA, Northern Ireland, U.K.
Phone +44-1232-550300