Re: Running Perl Suid

Your script is running setuid - it's effective user ID (root) is different from it's real user ID (you). When this happens, perl turns on 'taint checking'. One thing this does, is complain loudly when you did not set your PATH explicitely in your script - this is the Insecure $ENV{PATH} while running setuid at ./au.pl line 15. message.

To get rid of this message, you need to set your path explicitely in your script, and set it so that no directory in that path is writable by others than it's owner and group. The easiest way to do this is to simply clear PATH ($ENV{'PATH'}='';) and call all external commands with their full path specified. A quick example:

$ perl -Te 'system("/bin/echo", "Camels have fleas");'
Insecure $ENV{PATH} while running with -T switch at -e line 1.
$ perl -Te '$ENV{PATH}="";system("/bin/echo", "Camels have fleas");'
Camels have fleas
[download]

A couple of disclaimers with this code:

It's not SUID perl, but uses the same tainting mechanism throught the -T switch
/bin/echo is not a good example (just a quick one) - as it is a shell built in, so just echo would have worked as well.

For more information on this, see perlsec. This is required reading if you are going to be running Perl scrips SUID root.

CU
Robartes-

Comment on Re: Running Perl Suid Select or Download Code

Replies are listed 'Best First'.
Re: Re: Running Perl Suid by bart (Canon) on Mar 14, 2003 at 09:39 UTC
Another way is to set $ENV{PATH} yourself to a known, fixed, secure value. In my case, I had to clear $ENV{BASH_ENV} to make it work. Clearly, your milage may vary, depending on what shell your perl uses. `perl -Te 'delete $ENV{BASH_ENV}; $ENV{PATH} = "/bin:/usr/bin"; system( +"clear");'` [download]	[reply] [d/l]