setuid
Ivan Kohler
ivan at sisd.com
Mon Dec 14 15:40:49 PST 1998
>From the `perlsec' manpage:
Perl can emulate the setuid and setgid mechanism
when it notices the otherwise useless setuid/gid bits on
Perl scripts. It does this via a special executable
called suidperl that is automatically invoked for you if
it's needed.
--
Ivan Kohler <ivan at sisd.com> - finger for PGP key - <moc.dsis at navi> relhoK navI
Open-source billing and administration for ISPs - http://www.sisd.com/freeside
20 4,16 * * * saytime # please don't be surprised if you find me dreaming too
On Sun, Dec 13, 1998 at 08:12:16PM -0700, Jay wrote:
>
> Well, some progress. I found a binary called 'suidperl' -- however, there
> is no man page for it, and I cannot find any information about how to use
> it. Any pointers?
>
> ~Jay
>
> On Sun, 13 Dec 1998, Ivan Kohler wrote:
>
> > > My distro did include Perl5.
> >
> > It probably includes Perl suid emulation in a separate package than the
> > normal Perl package.
> >
> > > I checked out the perlsec manpage, but that
> > > recommended that I should rename all of the CGI scripts and then create
> > > small C wrappers (with the original script name) to be setuid to call the
> > > newly named CGI. While I am sure that is a possible (but pain in the neck)
> > > solution, there has to be an easier/better way. :)
> >
> > The better way is Perl's setuid emulation, also mentioned in the perlsec
> > manpage. If your distribution does not include this option (I'd be _very_
> > surprised if Slackware didn't), then you will need to recompile Perl.
> >
> > > I did try the perlsec
> > > method on the cust_main.cgi script, however when I executed the new C code
> > > that calls the original CGI script, it complains that setuid is still
> > > allowed in my kernel. Unfortunately, I am not enough of a coder to get
> > > into the kernel source and try to track that down.
> > >
> > > This brings me to a couple of questions: #1) how to I disable the setuid
> > > stuff in the kernel so that the perlsec method will work?
> >
> > Linux 2.0.x ignores the setuid bit on scripts, which is fine. Perl
> > provides setuid emulation. You don't need to change anything in your
> > kernel.
> >
> > > #2) will I need
> > > to create a C wrapper for _every_ setuid CGI script in the FreeSide
> > > package?
> >
> > That's one possible solution, yes.
> >
> > > Finally, #3) where can I get information about that perl-suid
> > > package?
> >
> > That's the name for a Debian package. Check your distributions's
> > documentation for the equivalent.
> >
> > > > Are you sure? *scripts*, not ELF executables? What language?
> > > >
> > >
> > > Hmmm...good point. I just tested it with a quick bash shell script. It did
> > > not work. The script was setuid to user 'jay' but when I executed it (as
> > > user 'root') it ran as 'root'. Thus, it would seem that all of my other
> > > setuid stuff are ELF binaries.
> > >
> > > So, now that I know my kernel will not support suid scripts, and I do not
> > > have the perl-suid pagkage, and the perlsec method (making C wrappers for
> > > every suid CGI) doesn't work because of something still enabled in my
> > > kernel -- any ideas? :) Thanks for the help.
> >
> > --
> > Ivan Kohler <ivan at sisd.com> - finger for PGP key - <moc.dsis at navi> relhoK navI
> > Open-source billing and administration for ISPs - http://www.sisd.com/freeside
> > 20 4,16 * * * saytime # please don't be surprised if you find me dreaming too
> >
>
> - J a y J a c o b s o n
> - - - - - - - - - - - - - - - - - -
> - jay at kinetic.org www.kinetic.org
>
> Quantum Mechanics: The dreams stuff is made of.
>
More information about the freeside-users
mailing list