setuid
Ivan Kohler
ivan at sisd.com
Mon Dec 14 20:19:57 PST 1998
I don't think any modern operating system ships with insecure setuid
scripts anymore. I _know_ Linux 2.0.x doesn't. I hvan't seen that
`disable setuid scripts in your kernel' error from Perl in _years_.
Sounds like something is seriously fubar'ed on your box.
Sorry it didn't work out for you.
On Mon, Dec 14, 1998 at 09:08:16PM -0700, Jay wrote:
>
> Yup -- I have that part down. However, the scripts are still running as
> the Apache user (nobody). This would make me assume that the suidperl
> executable is not being called for some reason. The Apache error logs say
> that something needs to be disabled in the kernel, however there is no
> indication as to where to look or how to disable it.
>
> ~Jay
>
> On Mon, 14 Dec 1998, Ivan Kohler wrote:
>
> > >From the `perlsec' manpage:
> >
> > Perl can emulate the setuid and setgid mechanism
> > when it notices the otherwise useless setuid/gid bits on
> > Perl scripts. It does this via a special executable
> > called suidperl that is automatically invoked for you if
> > it's needed.
> >
> > --
> > Ivan Kohler <ivan at sisd.com> - finger for PGP key - <moc.dsis at navi> relhoK navI
> > Open-source billing and administration for ISPs - http://www.sisd.com/freeside
> > 20 4,16 * * * saytime # please don't be surprised if you find me dreaming too
> >
> > On Sun, Dec 13, 1998 at 08:12:16PM -0700, Jay wrote:
> > >
> > > Well, some progress. I found a binary called 'suidperl' -- however, there
> > > is no man page for it, and I cannot find any information about how to use
> > > it. Any pointers?
> > >
> > > ~Jay
> > >
> > > On Sun, 13 Dec 1998, Ivan Kohler wrote:
> > >
> > > > > My distro did include Perl5.
> > > >
> > > > It probably includes Perl suid emulation in a separate package than the
> > > > normal Perl package.
> > > >
> > > > > I checked out the perlsec manpage, but that
> > > > > recommended that I should rename all of the CGI scripts and then create
> > > > > small C wrappers (with the original script name) to be setuid to call the
> > > > > newly named CGI. While I am sure that is a possible (but pain in the neck)
> > > > > solution, there has to be an easier/better way. :)
> > > >
> > > > The better way is Perl's setuid emulation, also mentioned in the perlsec
> > > > manpage. If your distribution does not include this option (I'd be _very_
> > > > surprised if Slackware didn't), then you will need to recompile Perl.
> > > >
> > > > > I did try the perlsec
> > > > > method on the cust_main.cgi script, however when I executed the new C code
> > > > > that calls the original CGI script, it complains that setuid is still
> > > > > allowed in my kernel. Unfortunately, I am not enough of a coder to get
> > > > > into the kernel source and try to track that down.
> > > > >
> > > > > This brings me to a couple of questions: #1) how to I disable the setuid
> > > > > stuff in the kernel so that the perlsec method will work?
> > > >
> > > > Linux 2.0.x ignores the setuid bit on scripts, which is fine. Perl
> > > > provides setuid emulation. You don't need to change anything in your
> > > > kernel.
> > > >
> > > > > #2) will I need
> > > > > to create a C wrapper for _every_ setuid CGI script in the FreeSide
> > > > > package?
> > > >
> > > > That's one possible solution, yes.
> > > >
> > > > > Finally, #3) where can I get information about that perl-suid
> > > > > package?
> > > >
> > > > That's the name for a Debian package. Check your distributions's
> > > > documentation for the equivalent.
> > > >
> > > > > > Are you sure? *scripts*, not ELF executables? What language?
> > > > > >
> > > > >
> > > > > Hmmm...good point. I just tested it with a quick bash shell script. It did
> > > > > not work. The script was setuid to user 'jay' but when I executed it (as
> > > > > user 'root') it ran as 'root'. Thus, it would seem that all of my other
> > > > > setuid stuff are ELF binaries.
> > > > >
> > > > > So, now that I know my kernel will not support suid scripts, and I do not
> > > > > have the perl-suid pagkage, and the perlsec method (making C wrappers for
> > > > > every suid CGI) doesn't work because of something still enabled in my
> > > > > kernel -- any ideas? :) Thanks for the help.
> > > >
> > > > --
> > > > Ivan Kohler <ivan at sisd.com> - finger for PGP key - <moc.dsis at navi> relhoK navI
> > > > Open-source billing and administration for ISPs - http://www.sisd.com/freeside
> > > > 20 4,16 * * * saytime # please don't be surprised if you find me dreaming too
> > > >
> > >
> > > - J a y J a c o b s o n
> > > - - - - - - - - - - - - - - - - - -
> > > - jay at kinetic.org www.kinetic.org
> > >
> > > Quantum Mechanics: The dreams stuff is made of.
> > >
> >
>
> - J a y J a c o b s o n
> - - - - - - - - - - - - - - - - - -
> - jay at kinetic.org www.kinetic.org
>
> Quantum Mechanics: The dreams stuff is made of.
>
--
Ivan Kohler <ivan at sisd.com> - finger for PGP key - <moc.dsis at navi> relhoK navI
Open-source billing and administration for ISPs - http://www.sisd.com/freeside
20 4,16 * * * saytime # please don't be surprised if you find me dreaming too
More information about the freeside-users
mailing list