Re: SetUID shell/perl scripts.

From: Anton Berezin (tobez@tobez.org)
Date: 06/02/01


Date: Sat, 2 Jun 2001 03:36:28 +0200
From: Anton Berezin <tobez@tobez.org>
To: "Dan Mahoney, System Admin" <danm@prime.gushi.org>

On Fri, Jun 01, 2001 at 07:00:27PM -0400, Dan Mahoney, System Admin wrote:

> In articles dating as far back as 1997, I see people saying that
> freeBSD doesn't support setuid shell scripts.

That's true.

> Does the system make an exception for apache? Because I'm able to run
> setuid root cgi scripts (and they're /usr/bin/perl, not
> /usr/bin/suidperl, although they still perform taint checking) (yes,
> I know, dangerous).

Upon startup, /usr/bin/perl notes that the script is setuid, and
launches /usr/bin/suidperl, if `setuid script emulation' was enabled
during perl configuration process.

In FreeBSD, it is enabled and such scripts work.

Hence, more recent versions of FreeBSD set mode 0511 on
/usr/bin/suidperl by default (this is controlled with ENABLE_SUIDPERL
/etc/make.conf knob).

Consider:

$ sudo sh
# cat >toobad.pl
#! /usr/bin/perl
print "$> $<\n";
^D
# chmod 4755 toobad.pl
# chmod 511 /usr/bin/suidperl
# ^D
$ ./toobad.pl
Can't do setuid; ensure that the setuid bit is set on suidperl
$ sudo sh
# chmod 4511 /usr/bin/suidperl
# ^D
$ ./toobad.pl
0 1001

Hope this helps,
Cheers,
%Anton.

-- 
May the tuna salad be with you.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message