Re: SetUID shell/perl scripts.
From: Anton Berezin (tobez@tobez.org)
Date: 06/02/01
- Next message: Dominic Parry: "Netscape"
- Previous message: Dan Mahoney, System Admin: "SetUID shell/perl scripts."
- In reply to: Dan Mahoney, System Admin: "SetUID shell/perl scripts."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 2 Jun 2001 03:36:28 +0200 From: Anton Berezin <tobez@tobez.org> To: "Dan Mahoney, System Admin" <danm@prime.gushi.org>
On Fri, Jun 01, 2001 at 07:00:27PM -0400, Dan Mahoney, System Admin wrote:
> In articles dating as far back as 1997, I see people saying that
> freeBSD doesn't support setuid shell scripts.
That's true.
> Does the system make an exception for apache? Because I'm able to run
> setuid root cgi scripts (and they're /usr/bin/perl, not
> /usr/bin/suidperl, although they still perform taint checking) (yes,
> I know, dangerous).
Upon startup, /usr/bin/perl notes that the script is setuid, and
launches /usr/bin/suidperl, if `setuid script emulation' was enabled
during perl configuration process.
In FreeBSD, it is enabled and such scripts work.
Hence, more recent versions of FreeBSD set mode 0511 on
/usr/bin/suidperl by default (this is controlled with ENABLE_SUIDPERL
/etc/make.conf knob).
Consider:
$ sudo sh
# cat >toobad.pl
#! /usr/bin/perl
print "$> $<\n";
^D
# chmod 4755 toobad.pl
# chmod 511 /usr/bin/suidperl
# ^D
$ ./toobad.pl
Can't do setuid; ensure that the setuid bit is set on suidperl
$ sudo sh
# chmod 4511 /usr/bin/suidperl
# ^D
$ ./toobad.pl
0 1001
Hope this helps,
Cheers,
%Anton.
-- May the tuna salad be with you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Dominic Parry: "Netscape"
- Previous message: Dan Mahoney, System Admin: "SetUID shell/perl scripts."
- In reply to: Dan Mahoney, System Admin: "SetUID shell/perl scripts."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
