First off, it's designed to be invoked with sudo, not a setuid helper. It's an exceedingly simple script, to allow a limited user to enter a chroot. I wrote it so I'd have an easier time using a 32-bit chroot for Wine.
Here it is, in all its glory:
Code:
#!/usr/bin/env perl
use strict;
use warnings;
my $target_uid = $ENV{'SUDO_UID'};
my $target_gid = $ENV{'SUDO_GID'};
my $dir = $ARGV[0];
chdir("$dir");
chroot("./");
$< = $> = $target_uid;
$( = $) = $target_gid;
chdir();
exec("/bin/bash");
My question: how much of a security hazard does this pose, in terms of local privilege escalation? How can I improve it? Error checking doesn't seem necessary for this, since things fail fatally on their own... But I would welcome any input.
Edit: apparently this is no good; a malicious user could forcibly load a Perl module to set the environment stuff. Boo.
Edit 2: Ended up implementing it in C. This time I took care to clear all the environment variables.
Edit 3: Also I could have used $< and $( in the original Perl, after wiping the environment. Why didn't I think of that...
Edit 4: Never mind the above, those vars don't work when using sudo.
