[freeside] Free Side Error

[Ivan Kohler]

On Wed, Jul 14, 1999 at 02:27:49AM -0700, Mark Wells wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, 14 Jul 1999, Herbert Samuels wrote:
> 
> > Hi,
> > 
> > I've gotten freeside to work partially.
> > I'm using the Perl suid approach.
> > I get this error, however;
> > 
> > &FS::UID::checkruid failed at
> > /usr/local/fs-1.2.1/htdocs/edit/process/part_svc.cgi line 59 
> 
> I didn't know you could suid the CGI scripts.  As far as I know, suid only
> affects the effective uid, not the real uid.

By definition, yes.

>  There are probably many ways
> around this.  The perl documentation suggests this one:
> 
> $< = $>;            # set real to effective uid
> 
> ($< is the real uid, $> is the effective.  See 'man perlvar'.)

Yep.  See the swapuid subroutine of UID.pm.

> In theory, if the script is suid freeside, and it executes that statement,
> it will set its real uid to freeside and checkruid won't complain.

In practice, this is what happens.

> Whether this is safe is another issue.

Very true.  I was very careful to code Freeside securely, and Perl is a
_much_ better "elevated privledges" environment than C or shell.  There
have been no reports of security problems with Freeside to date.  However,
it is possible that I missed something.  Please let me know if you are
aware of any possible problems. 

>  There's obviously *some* good
> reason for checkruid to be in there in the first place.  Ivan would
> probably know.  I'm just saying that if you've properly secured your
> scripts, that statement would give you a way around checkruid.
>
> But then, if that's what you want, you can replace checkruid (in UID.pm)
> with this:

No.  Don't do this.  (or at least don't ask me for support after you
cause yourself headaches by doing so)

> sub &checkruid
> {
>     return &checkeuid;
> }
> 
> Just make sure you're not creating security holes by doing this.  In
> particular, make sure that either your OS or your perl interpreter is
> suid-safe, and that your HTTP authentication is set up properly.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v0.9.7 (GNU/Linux)
> Comment: PGPEnvelope - http://www.bigfoot.com/~ftobin/resources.html
> 
> iD8DBQE3jFgf2GOwREX5+xQRAsX9AKC3jjpQwgbXV8uewPV0e/TuT/cDvQCfTfvY
> QymkiXJRiUHjq3Bk5tQmT6w=
> =GS3P
> -----END PGP SIGNATURE-----
> 

-- 
Ivan Kohler <ivan at sisd.com> - finger for PGP key - <moc.dsis at navi> Relhok Navi
Open-source billing and administration for ISPs - http://www.sisd.com/freeside
20 4,16 * * * saytime # please don't be surprised if you find me dreaming too