setuid

Ed Dooner edooner at allvirtual.com
Tue Dec 15 08:37:00 PST 1998 

Ivan,

Can you call us around 2:00 east coast.  We do not have your new number.

Ed Dooner
888-651-0766
www.therom.com
edooner at allvirtual.com
-----Original Message-----
From: Ivan Kohler <ivan at sisd.com>
To: ivan-freeside at sisd.com <ivan-freeside at sisd.com>
Date: Monday, December 14, 1998 3:28 PM
Subject: Re: setuid


>On Mon, Dec 14, 1998 at 12:23:28AM -0700, Jay wrote:
>>
>> Just for kicks -- here is what /var/lib/httpd/log/error-log is reporting:
>>
>> YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET!
>> FIX YOUR KERNEL, PUT A C WRAPPER AROUND THIS SCRIPT, OR USE -u AND
UNDUMP!
>
>I haven't seen this message since SunOS 4.  Maybe you should try chmod
>4755 (not 4711) for suidperl?
>
>> I am tried changing cust_main.cgi to run 'suidperl' instead of
'perl -Tw',
>
>Don't do this.
>
>> I have tried the C wrapper (suggested in the perlsec man page), all of
>> which owned by the user 'freeside' and chmod'd 4755. I also even tried
the
>
>`wrapsuid' from the Perl distribution is a bit more robust.
>
>> C wrapper calling the Perl script set to run 'suidperl' -- still
producing
>> the same results.
>>
>> ~Jay
>>
>> On Mon, 14 Dec 1998, Jay wrote:
>>
>> >
>> > Hmmm...it would seem that my version of /usr/bin/suidperl is already
4711
>> > to root. Here's what I have:
>> >
>> > (root at energy.kinetic.org) 00:02:11
>> > [/var/spool]: l /usr/bin/suidperl
>> > lrwxrwxrwx   1 root     root           15 Nov  6 21:12
/usr/bin/suidperl
>> > -> suidperl5.00404*
>> >
>> > (root at energy.kinetic.org) 00:02:16
>> > [/var/spool]: l /usr/bin/suidperl5.00404
>> > -rws--x--x   1 root     bin      463936 Mar 23  1998
/usr/bin/suidperl5.00404*
>> >
>> > Any other ideas? I am starting to get desperate here. :)
>> >
>> > ~Jay
>> >
>> > On Mon, 14 Dec 1998, Christian Eva wrote:
>> >
>> > > Jay wrote:
>> > >
>> > > > Well, some progress. I found a binary called 'suidperl' -- however,
there
>> > > > is no man page for it, and I cannot find any information about how
to use
>> > > > it. Any pointers?
>> > > >
>> > >
>> > > Well I had a similar problem because in my Suse 5.3 the suidperl did
not have suid
>> > > root(under the SuSE installation option secure). When perl has the
setuid bit set
>> > > on its scripts it
>> > > automatically executes suidperl. After changing suidperl to "4755
owner root" the
>> > > CGI's worked fine.
>> > >
>> > > Christian
>> > >
>> > >
>> > > > ~Jay
>> > > >
>> > > > On Sun, 13 Dec 1998, Ivan Kohler wrote:
>> > > >
>> > > > > > My distro did include Perl5.
>> > > > >
>> > > > > It probably includes Perl suid emulation in a separate package
than the
>> > > > > normal Perl package.
>> > > > >
>> > > > > > I checked out the perlsec manpage, but that
>> > > > > > recommended that I should rename all of the CGI scripts and
then create
>> > > > > > small C wrappers (with the original script name) to be setuid
to call the
>> > > > > > newly named CGI. While I am sure that is a possible (but pain
in the neck)
>> > > > > > solution, there has to be an easier/better way. :)
>> > > > >
>> > > > > The better way is Perl's setuid emulation, also mentioned in the
perlsec
>> > > > > manpage.  If your distribution does not include this option (I'd
be _very_
>> > > > > surprised if Slackware didn't), then you will need to recompile
Perl.
>> > > > >
>> > > > > > I did try the perlsec
>> > > > > > method on the cust_main.cgi script, however when I executed the
new C code
>> > > > > > that calls the original CGI script, it complains that setuid is
still
>> > > > > > allowed in my kernel. Unfortunately, I am not enough of a coder
to get
>> > > > > > into the kernel source and try to track that down.
>> > > > > >
>> > > > > > This brings me to a couple of questions: #1) how to I disable
the setuid
>> > > > > > stuff in the kernel so that the perlsec method will work?
>> > > > >
>> > > > > Linux 2.0.x ignores the setuid bit on scripts, which is fine.
Perl
>> > > > > provides setuid emulation.  You don't need to change anything in
your
>> > > > > kernel.
>> > > > >
>> > > > > > #2) will I need
>> > > > > > to create a C wrapper for _every_ setuid CGI script in the
FreeSide
>> > > > > > package?
>> > > > >
>> > > > > That's one possible solution, yes.
>> > > > >
>> > > > > > Finally, #3) where can I get information about that perl-suid
>> > > > > > package?
>> > > > >
>> > > > > That's the name for a Debian package.  Check your distributions's
>> > > > > documentation for the equivalent.
>> > > > >
>> > > > > > > Are you sure?  *scripts*, not ELF executables?  What
language?
>> > > > > > >
>> > > > > >
>> > > > > > Hmmm...good point. I just tested it with a quick bash shell
script. It did
>> > > > > > not work. The script was setuid to user 'jay' but when I
executed it (as
>> > > > > > user 'root') it ran as 'root'. Thus, it would seem that all of
my other
>> > > > > > setuid stuff are ELF binaries.
>> > > > > >
>> > > > > > So, now that I know my kernel will not support suid scripts,
and I do not
>> > > > > > have the perl-suid pagkage, and the perlsec method (making C
wrappers for
>> > > > > > every suid CGI) doesn't work because of something still enabled
in my
>> > > > > > kernel -- any ideas? :) Thanks for the help.
>> > > > >
>> > > > > --
>> > > > > Ivan Kohler <ivan at sisd.com> - finger for PGP key -
<moc.dsis at navi> relhoK navI
>> > > > > Open-source billing and administration for ISPs -
http://www.sisd.com/freeside
>> > > > > 20 4,16 * * * saytime # please don't be surprised if you find me
dreaming too
>> > > > >
>> > > >
>> > > > - J a y   J a c o b s o n
>> > > > - - - - - - - - - - - - - - - - - -
>> > > > - jay at kinetic.org   www.kinetic.org
>> > > >
>> > > > Quantum Mechanics: The dreams stuff is made of.
>> > >
>> > >
>> > >
>> > > --
>> > > Christian J Knoepfel Eva
>> > > Phoenix Integration
>> > > Rosebank Business Park
>> > > 333 Crumlin Road, Belfast, BT14 7EA, Northern Ireland, U.K.
>> > > Phone +44-1232-550300
>> > >
>> > >
>> > >
>> >
>> > - J a y   J a c o b s o n
>> > - - - - - - - - - - - - - - - - - -
>> > - jay at kinetic.org   www.kinetic.org
>> >
>> > Quantum Mechanics: The dreams stuff is made of.
>> >
>>
>> - J a y   J a c o b s o n
>> - - - - - - - - - - - - - - - - - -
>> - jay at kinetic.org   www.kinetic.org
>>
>> Quantum Mechanics: The dreams stuff is made of.
>>
>
>--
>Ivan Kohler <ivan at sisd.com> - finger for PGP key - <moc.dsis at navi> relhoK
navI
>Open-source billing and administration for ISPs -
http://www.sisd.com/freeside
>20 4,16 * * * saytime # please don't be surprised if you find me dreaming
too
>

More information about the freeside-users mailing list