evlg has asked for the wisdom of the Perl Monks concerning the following question:

Hello Perl Sages,

I am currently charged with the task of writing a wrapper for the Solaris pkgadd command. This command installs software packages, and must be run as root. We want to wrap this command to add some security checks (so that packages with suid programs couldn't be installed, and to disallow the use of installation scripts in the package.) Our wrapper would have to be run with sudo, so that it can spawn pkgadd to do the installation.

My first thought was to use Perl, of course, since it is quite natural to do the security checks on the packages with a collection of regular expressions. However, a member of my group says that it is possible to break out of the sudo'd perl script atfer it calls system() and end up with a root shell. That is obviously bad, and if we can't work around it to ensure that the perl script cannot be interrupted or otherwise hijacked into giving a root shell, I will have to find an alternate solution.

I can't see how that would happen, though. When system() is executed, a shell is only spawned if the command line has metacharacters in it. I know that the command line won't have any metacharacters in it, and thus the call will not spawn a shell; it will just fork+exec pkgadd. Thus, if pkgadd were somehow interrupted or sent a signal to exit, it would just die. There would be no shell to return to, and thus no root shell to give the user control of. Similarly, if perl were interrupted somehow, there is no root shell to go to. It just exits to the original shell, which is under the user's regular userid.

Is this a correct analysis? Or do we need to be concered that using system() from a sudo'd perl program can allow a user access to a root shell, or some other horrible situation?

  • Comment on Security concern with sudo and system()

Replies are listed 'Best First'.
Re: Security concern with sudo and system()
by John M. Dlugosz (Monsignor) on Sep 15, 2001 at 01:31 UTC
    You could look at the implementation of system() to make sure you know exactly when it will or won't create a shell. I'm on a different platform, so my memory of that won't help you.

    Furthermore, you can hide the shell so it can't run accidently! Perl uses an ENV variable to locate the shell; point it at an error instead, before the first such call.

    —John

[reply]

      No, Perl does not use an %ENV variable to figure out which shell to use for system. For Unix it is always /bin/sh (unless you changed that for some obscure reason when you built Perl).

      If you always use the multi-argument form of system, then a shell will never be invoked. Accomplishing this can be made easier by using IPC::Open2 and/or IPC::Open3 to do I/O redirection w/o using a shell.

              - tye (but my friends call me "Tye")
[reply]
        Well, other OS's don't have a /bin/sh, or a /bin/ for that matter. I thought the ENV variable was standard now, but looking at the source it seems that each platform has its own logic to find/use the shell.

        Under Win32, it's: 

        static void
get_shell(void)
{
    dTHXo;
    if (!w32_perlshell_tokens) {
    /* we don't use COMSPEC here for two reasons:
     *  1. the same reason perl on UNIX doesn't use SHELL--rampant and
     *     uncontrolled unportability of the ensuing scripts.
     *  2. PERL5SHELL could be set to a shell that may not be fit for
     *     interactive use (which is what most programs look in COMSPE
+C
     *     for).
     */
    const char* defaultshell = (IsWinNT()
                    ? "cmd.exe /x/c" : "command.com /c");
    const char *usershell = PerlEnv_getenv("PERL5SHELL");
    w32_perlshell_items = tokenize(usershell ? usershell : defaultshel
+l,
                       &w32_perlshell_tokens,
                       &w32_perlshell_vec);
    }
}

        [download]
        This could certainly work for all platforms. But a quick search indicates:
        • On vos it's not supported.
        • On vms, it calls lib$spawn, whatever that means (is $ a letter on that platform's C compiler, or a scope resolution of some kind?
        • on VM/ESA it calls /bin/sh -c.
        • On OS/2, this comment: "Consensus on perl5-porters is that it is _very_ important to have a shell which will not change between computers with the same architecture, to avoid "action on a distance". And to have simple build, this shell should be sh"

          However, it can be compiled to try looking at environment variables EMXSHELL, SHELL, COMSPEC in that order (or CMD.EXE if none of those are found), and applying the /C switch to whatever it finds; or using the contents of a variable called PL_sh_path and the -c switch. That variable is listed in a few non-OS-specific files, so it looks like this is what it is supposed to look at in all builds. That is, the configuration in embedvar or perlapi can configure the shell, without editing the deep guts.

          Hmm, in other places it looks like the variable PL_sh_path contains only the directory of the shell, not the name itself, in other uses. But this OS/2 support module treats it in the same way whether it uses CMD.EXE or the contents of PL_sh_path, so it expects to find a complete executable file name there. Is this a bug?

        • Epoc seems to use a C++ API to the OS, with a member function RProcess::Create doing the work.
        • In another place, PL_sh_path is traced back to a member of Interpreter which does indeed have a complete command name. So the use is inconsistant in different builds. In VOS, it is "/system/ported/command_library/bash.pm"
        So, it's a real mess. Besides different specific logic for each OS or variation, there are lots of wrapping macros and levels of indirection just to make things more confusing, and inconsistant use of common code.

        —John

[reply]
[d/l]
        On Windows, it will look for the contents of $ENV{PERL5SHELL} for a complete string (command name and switches) that it prepends to the string you are running.

        If that environment variable does not exist, it uses either "CMD.EXE /X/C" or "COMMAND.COM /C" depending one whether it's running NT or Win9x.

        Having different shells on Win9x vs NT can expose differences, since CMD with the /X switch does more than COMMAND.COM.

        I know Perl used to use $ENV{COMSPEC} because I relied on the capabilites of my shell (the one that invoked the perl script in the first place) and found it broke at some point. That's when I learned about PERL5SHELL. I seem to recall that there was also some "common" min-shell shipped with activestate Perl at some point, to prevent differences between 9x and NT.

        —John

[reply]

Back to Seekers of Perl Wisdom