perl script set uid

PMP · 08-11-2009, 04:42 AM

I have a script that start the http deamon. This script has got owner and group as root and I have put a setuid on it.

That scripts executes from normal user fine. Now suddenly this script has stopped functioning.

I want to know:

1. The effective uid get propogated to other script called by this script.

2. Is there any way to stop this propogation, If yes how this can be done.

My distro is RHEL.

bhaslinux · 08-11-2009, 08:51 AM

AFAIK
Setuid is for binary programs. The #! in the scripts just tell the shell what program to use to run this script.
Now since you might have given something like #!/usr/bin/perl, what effectively gets translated is that shell
executes this as

/usr/bin/perl <program name>
so eventhough the program script is setuid, it will not get executed as per the setuid principle.
If this were a compiled self-executable, then the setuid will work.

so the answers are
1. the effect uid is the uid of the user who is running the script
2. ???

PMP · 08-11-2009, 09:23 AM

Well setuid in perl is possible.

mrdvt92 · 09-11-2011, 10:35 PM

Quote:

Well setuid in perl is possible.

This took me a while to figure this out too. But, on Fedora.

Code:

sudo yum install perl-suidperl

Then the script will launch /usr/bin/suidperl not /usr/bin/perl even when the shabang is still #!/usr/bin/perl.

Try this little script.

Code:

#!/usr/bin/perl
print "$> => $<\n";

I saved as suid.pl and then

Code:

sudo chown root suid.pl
sudo chmod u+sx suid.pl

Then run it!

Code:

$ ./suid.pl
0 => 500

ta0kira · 09-11-2011, 11:13 PM

Quote:

Originally Posted by mrdvt92

This took me a while to figure this out too. But, on Fedora.

Code:

sudo yum install perl-suidperl

Then the script will launch /usr/bin/suidperl not /usr/bin/perl even when the shabang is still #!/usr/bin/perl.

Try this little script.

Code:

#!/usr/bin/perl
print "$> => $<\n";

I saved as suid.pl and then

Code:

sudo chown root suid.pl
sudo chmod u+sx suid.pl

Then run it!

Code:

$ ./suid.pl
0 => 500

I'm assuming this requires perl to be suid-root, which sounds like a horrible idea. The only way you can suid a script is if the interpreter is suid (or it's otherwise run as root) and it supports such uid changes.
Kevin Barry

PS The only exception to "don't make an interpreter suid" might be a wrapper program (i.e. < 100 lines or so) that does the following:

Checks the ownership of the script.
Checks the suid flag of the script and the "nosuid"/"noexec" flags of the mount containing the script.
If suid execution is acceptable, set the real and effective uids to the owner of the script. Otherwise, set the effective uid to the real uid.
execve the actual interpreter, which isn't suid.

This, of course, means the script isn't actually suid; it just makes the wrapper change uids before executing the interpreter. The difference is that the interpreter isn't capable of changing to another uid unless it's running as root already. I'd make sure all of the above were true before installing any suid interpreter.

chrism01 · 09-12-2011, 09:00 PM

Given

Quote:

This script has got owner and group as root

it sees to me that setuid is redundant; its already root.
If you want to run it as root from another user, sudo would be safer.
As per ta0kira, try to minimise the number of setuid programs on the system.