Re: SetUID shell/perl scripts.

From: Anton Berezin (tobez@tobez.org)
Date: 06/02/01


Date: Sat, 2 Jun 2001 03:36:28 +0200
From: Anton Berezin <tobez@tobez.org>
To: "Dan Mahoney, System Admin" <danm@prime.gushi.org>

On Fri, Jun 01, 2001 at 07:00:27PM -0400, Dan Mahoney, System Admin wrote:

> In articles dating as far back as 1997, I see people saying that
> freeBSD doesn't support setuid shell scripts.

That's true.

> Does the system make an exception for apache? Because I'm able to run
> setuid root cgi scripts (and they're /usr/bin/perl, not
> /usr/bin/suidperl, although they still perform taint checking) (yes,
> I know, dangerous).

Upon startup, /usr/bin/perl notes that the script is setuid, and
launches /usr/bin/suidperl, if `setuid script emulation' was enabled
during perl configuration process.

In FreeBSD, it is enabled and such scripts work.

Hence, more recent versions of FreeBSD set mode 0511 on
/usr/bin/suidperl by default (this is controlled with ENABLE_SUIDPERL
/etc/make.conf knob).

Consider:

$ sudo sh
# cat >toobad.pl
#! /usr/bin/perl
print "$> $<\n";
^D
# chmod 4755 toobad.pl
# chmod 511 /usr/bin/suidperl
# ^D
$ ./toobad.pl
Can't do setuid; ensure that the setuid bit is set on suidperl
$ sudo sh
# chmod 4511 /usr/bin/suidperl
# ^D
$ ./toobad.pl
0 1001

Hope this helps,
Cheers,
%Anton.

-- 
May the tuna salad be with you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: Idea for FreeBSD
    ... I started in FreeBSD and it will ... Even solaris still relies on rc scripts to exist. ... I think a drop-in command like "rcadm" (someone mentioned this as an idea, ...
    (freebsd-hackers)
  • Re: Items missing from the handbook and/or FAQs.
    ... > configuration is handled through ifconfig would have saved me some time. ... > would also have saved me reading through the rc scripts. ... > During setup you can create filesystems other than FreeBSD, ... > their own gdm startup scripts doesn't make much sense. ...
    (freebsd-questions)
  • Re: CGI security on a shared web server (fwd)
    ... >> support setuid scripts ... I don't see why someone would suEXEC setuid perl scripts. ...
    (SecProg)
  • Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
    ... FreeBSD distributed, and patched, and whatever so this is already ... patches that tweak the ports when they install, ... > particular setuid binary, you should remove the setuid bit. ... Here's what I worry about. ...
    (FreeBSD-Security)
  • Re: Suggestion: rename "killall" to "fkill", but wait five years to phase the new name in
    ... The only scripts I can think of are scripts ... killall is used for instance, ... Having a command that do the same thing what shutdownshould do doesn't seem to be the Unix way to do things. ... Mac OS X have the same killall as FreeBSD have. ...
    (freebsd-hackers)