Running Perl Suid

lacertus has asked for the wisdom of the Perl Monks concerning the following question:

Hello friends,

Just a "quicke" here, but the success of my current pet project hinges on it. I have been unable to really understand sufficiently how to make a script SUID for root. The program continually yells at me:

Insecure $ENV{PATH} while running setuid at ./au.pl line 15.
[download]

Line 15, though I know it isn't important, is a mere system call to clear the terminal screen. Anyway, your input is always valuable!

Thanks in advance,
Lacertus

Comment on Running Perl Suid Download Code

Replies are listed 'Best First'.
Re: Running Perl Suid by robartes (Priest) on Mar 14, 2003 at 08:07 UTC
Your script is running setuid - it's effective user ID (root) is different from it's real user ID (you). When this happens, perl turns on 'taint checking'. One thing this does, is complain loudly when you did not set your PATH explicitely in your script - this is the `Insecure $ENV{PATH} while running setuid at ./au.pl line 15.` message. To get rid of this message, you need to set your path explicitely in your script, and set it so that no directory in that path is writable by others than it's owner and group. The easiest way to do this is to simply clear PATH (`$ENV{'PATH'}='';`) and call all external commands with their full path specified. A quick example: `$ perl -Te 'system("/bin/echo", "Camels have fleas");' Insecure $ENV{PATH} while running with -T switch at -e line 1. $ perl -Te '$ENV{PATH}="";system("/bin/echo", "Camels have fleas");' Camels have fleas` [download] A couple of disclaimers with this code: It's not SUID perl, but uses the same tainting mechanism throught the -T switch /bin/echo is not a good example (just a quick one) - as it is a shell built in, so just echo would have worked as well. For more information on this, see perlsec. This is required reading if you are going to be running Perl scrips SUID root. CU Robartes-	[reply] [d/l] [select]
Re: Re: Running Perl Suid by bart (Canon) on Mar 14, 2003 at 09:39 UTC
Another way is to set $ENV{PATH} yourself to a known, fixed, secure value. In my case, I had to clear $ENV{BASH_ENV} to make it work. Clearly, your milage may vary, depending on what shell your perl uses. `perl -Te 'delete $ENV{BASH_ENV}; $ENV{PATH} = "/bin:/usr/bin"; system( +"clear");'` [download]	[reply] [d/l]
Re: Running Perl Suid by CukiMnstr (Deacon) on Mar 14, 2003 at 07:54 UTC
when a perl script runs setuid or setgid, taint checking is turned on. Check perlsec for an explanation. hope this helps,	[reply]