changing uid/gid in suid cgi script

bless$self=>perlmonks; has asked for the wisdom of the Perl Monks concerning the following question:

Basically, what I'm trying to do, is write a script where people log in with their username/password, and the script changes it's level of priveleges to match those of the user logging in (same uid, gid, and groups). The script starts out suid root, and then drops priveleges.

I'm having problems understanding how the $UID, $GID, $EUID, and $EGID variables work. Here are some examples: If I assign the variables like this:

$UID = $new_uid;
$GID = $new_gid;
$EUID = $new_uid;
$EGID = "$new_gid $new_gid";
[download]

Then it appears as if my script is still in one of root's groups. My debugging output shows:

UID: '1001'
GID: '100 33'
EUID: '1001'
EGID: '100 33'
[download]

1001 and 100 are the user's uid and gid, so those are correct, but 33 is a group that root is in, but the user is not in. The script shouldn't be in that group anymore.

However, if I assign the variables in a different order, the results are not the same. Assigning like this:

($UID, $GID) = ($new_uid, $new_gid);
($EUID, $EGID) = ($new_uid, "$new_gid $new_gid");
[download]

results in what appears to be what I want:

UID: '1001'
GID: '100 100'
EUID: '1001'
EGID: '100 100'
[download]

I know that list variables inside a list assignment are assigned in parallel.... but why does the order affect the result? And should I be changing $UID and $GID, or just $EUID and $EGID?

Comment on changing uid/gid in suid cgi script Select or Download Code

Replies are listed 'Best First'.
Re: changing uid/gid in suid cgi script by Zaxo (Archbishop) on Sep 06, 2001 at 07:35 UTC
To manipulate *nix uid and gid, `use POSIX qw( geteuid getuid setuid getgid getegid setgid );` [download] See manpages POSIX.3 setuid.2 etc. Your question is posed as if you want to make a web interface for user accounts on the server. That is a dangerous prospect. Doing it suid root is likely to be a calamity. Many nixes will not run an interpreter script suid root. Can your project be done with https authentication instead? After Compline, Zaxo	[reply] [d/l]
Re: Re: changing uid/gid in suid cgi script by jj808 (Hermit) on Sep 06, 2001 at 11:51 UTC
> Many nixes will not run an interpreter script suid root. I had this problem with Compaq Tru64 UNIX, the fix I used was a small bit of C code (yes I know it isn't Perl :-) as follows: `#include <unistd.h> int main (int argc, char *argv[]) { execl("/path/to/yourscript.pl", "yourscript.pl", NULL); }` [download] Save this as 'wrapper.c' and compile it with `cc -o wrapper wrapper.c` [download] Set the permissions of 'wrapper' so it runs SUID root, then the EUID and EGID variables in your Perl script will be correctly set. As Zaxo said, this is dangerous, but if you really want to... (Code taken from the book 'Professional Apache' published by Wrox) Regards, JJ	[reply] [d/l] [select]
Re: changing uid/gid in suid cgi script by Anonymous Monk on Sep 06, 2001 at 07:12 UTC
Change groups before changing uid. Once you've dropped root permissions you're dropping the permission to modify your groups. `$GID = $new_gid; $EGID = "$new_gid $new_gid"; $UID = $new_uid; $EUID = $new_uid;` [download] should work.	[reply] [d/l]
Re: changing uid/gid in suid cgi script by ncw (Friar) on Sep 06, 2001 at 12:11 UTC
A note for anyone following along at home. The poster has left out the fact that the script has `use English;` [download] At the top. See perlvar for more info. Probably most perl programmers write the above snippet like this (with error checking too):- `$( = $) = $new_gid; die "Failed to changed groupid to $new_gid: $!" if $) != $new_gid \|\| $( != $new_gid; $< = $> = $new_uid; die "Failed to changed userid to $new_uid: $!" if $> != $new_uid \|\| $< != $new_uid;` [download] At least that is how I would write it not being a big fan of use English!	[reply] [d/l] [select]


Come for the quick hacks, stay for the epiphanies.
	PerlMonks