Re: SetUID shell/perl scripts.

From: Anton Berezin (
Date: 06/02/01

Date: Sat, 2 Jun 2001 03:36:28 +0200
From: Anton Berezin <>
To: "Dan Mahoney, System Admin" <>

On Fri, Jun 01, 2001 at 07:00:27PM -0400, Dan Mahoney, System Admin wrote:

> In articles dating as far back as 1997, I see people saying that
> freeBSD doesn't support setuid shell scripts.

That's true.

> Does the system make an exception for apache? Because I'm able to run
> setuid root cgi scripts (and they're /usr/bin/perl, not
> /usr/bin/suidperl, although they still perform taint checking) (yes,
> I know, dangerous).

Upon startup, /usr/bin/perl notes that the script is setuid, and
launches /usr/bin/suidperl, if `setuid script emulation' was enabled
during perl configuration process.

In FreeBSD, it is enabled and such scripts work.

Hence, more recent versions of FreeBSD set mode 0511 on
/usr/bin/suidperl by default (this is controlled with ENABLE_SUIDPERL
/etc/make.conf knob).


$ sudo sh
# cat >
#! /usr/bin/perl
print "$> $<\n";
# chmod 4755
# chmod 511 /usr/bin/suidperl
# ^D
$ ./
Can't do setuid; ensure that the setuid bit is set on suidperl
$ sudo sh
# chmod 4511 /usr/bin/suidperl
# ^D
$ ./
0 1001

Hope this helps,

May the tuna salad be with you.
To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message