in reply to Re: perl 5.16 setuid
in thread perl 5.16 setuid

There is a problem with this method. If the 'C' wrapper is used the script it points to must be secured with 750 or 755 and owned by root or the user it is switching to. Otherwise, you have a real problem with someone being able to write anything they want to the script since the SUID tamper security is only on the wrapper and not on the script. Also, make sure to still use the following header in the script so it will complain about unsafe code. And finally monitor all your scripts called from wrappers for changes with something like inotifywait/inotifywatch or other file monitoring tool.

#!/usr/bin/perl -T

Hope this helps someone.

Replies are listed 'Best First'.
Re^3: perl 5.16 setuid
by Anonymous Monk on May 01, 2018 at 12:02 UTC

    The world-writable checks (on every path directory as well as the file itself) are understood and a good security practice, certainly. But could you please elaborate on the inotify suggestion? How would one read the inotify events, and perform an execve() at the same time without any race conditions arising?

[reply]
[d/l]

In Section Seekers of Perl Wisdom