suid perl

devslashneil has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: suid perl by sauoq (Abbot) on Jun 18, 2003 at 09:33 UTC
Write a wrapper in C for your script. Compile that and make it setuid. Something like the following should do... `int main(int argc, char** argv) { execv("/path/to/your/script", argv); }` [download] All the usual warnings about security apply twice as much for setuid programs. The webserver runs as nobody for a reason; use extreme caution when subverting it. Of course, you are familiar with the security issues, right? And you've read perlsec? And you have taint checking on? etc. etc. etc. -sauoq "My two cents aren't worth a dime.";	[reply] [d/l]
Re: Re: suid perl by devslashneil (Friar) on Jun 20, 2003 at 02:43 UTC
Hi, I finally got root access and was able to try running this program as different users, this allowed me to discover that the problem wasn't with the suid, it lay in the fact that i needed to set the shell to '/usr/bin/tcsh' for it to work. However after taking your advice and writing the wrapper, i received the following error: `# ./test Content-Type: text/html; charset=ISO-8859-1 Insecure $ENV{PATH} while running setuid at ./test.pl line 12.` [download] Line 12 of test.pl is: `open(LIST,"/usr/local/mailman/bin/list_members $listname\|") \|\| die "reason: $!";` Is this because i am passing an argument to the shell, can someone please point me in the right direction security wise on how i could fix this. Thanks in advance - Neil	[reply] [d/l] [select]
Re: Re: Re: suid perl by devslashneil (Friar) on Jun 20, 2003 at 02:47 UTC
I'm sorry, I just realised that the link you posted on perlsec, Address's this issue. Please disregard the last post.	[reply]
Re: suid perl by edoc (Chaplain) on Jun 18, 2003 at 03:26 UTC
I think you'll need to provide a few more details if you want some answers to this.. ie some code and maybe a description of what you are trying to do. I'm guessing that your script reads in mail files of some description which are owned/readable by "mailman" in which case you will need to give "nobody" read access to these files. Just remember that any script running as nobody will have access to these files also. Add some checks and error logging to your script wherever it accesses files and you'll probably find the problem. suid perl allows scripts to run as different users for each virtualhost as specified in the Apache config. I get the feeling it won't help your current situation. cheers, J	[reply]
Re: Re: suid perl by devslashneil (Friar) on Jun 18, 2003 at 03:48 UTC
Thanks for your reply. My code simply uses the /usr/local/mailuser/bin files that the mailuser program uses to add / remove / list email address's from each mailing list. I don't think it would be wise to allow access to all these binary files to the "nodbody" user for security reasons. Is there no way to make a perl script run as the "mailman" user when it is executed by the "nobody" user, in this case the webserver? - Neil	[reply]
Re: suid perl by daeve (Deacon) on Jun 18, 2003 at 03:56 UTC
Try chown nobody your_file_name while logged in as "mailman". If that doesn't work you may need to get someone with root access to change the owner or group of the file so it will be execuitable by all or "nobody" at the very least. HTH Daeve	[reply]
Re: Re: suid perl by devslashneil (Friar) on Jun 18, 2003 at 04:17 UTC
My File (test.pl) is executable by nobody, the output in the console running as mailman is: `bash-2.03$ ./test.pl Content-Type: text/html; charset=ISO-8859-1 <CENTER>MEMBERS</CENTER><HTML><BODY>paul@webfirm.com.au <br> nbeddow@qantas.com.au <br> reception@computercorp.com.au` [download] etc. However from the web browser the output is: "MEMBERS" only. I don't see how making my file readable by nobody would help. Changing the binary files that my program utilizes to be readable by nobody, as suggested in the first reply, would work, however i don't wish to do this for security reasons. This would be so much easier if i had root access on this machine. :( Neil	[reply] [d/l]
Re: suid perl by naChoZ (Curate) on Jun 20, 2003 at 02:57 UTC
It is also very important that mailman was set up correctly when it was installed. During the `./configure` phase, the cgi gid must be specified and it should match the gid that the web server runs as, especially if it runs as something other than the defaults. (Some web servers run as apache for instance.) Here's a clip from the INSTALL file from mailman: --with-cgi-gid=<group-or-groups> Specify an alternative group for running scripts via the CGI wrapper. <group-or-groups> can be a list of one or more integer group ids or symbolic group names. The first value in the list that resolves to an existing group is used. By default, the value is the the list `www www-data nobody'. ~~ naChoZ	[reply]
Re: Re: suid perl by devslashneil (Friar) on Jun 20, 2003 at 03:11 UTC
I know this is a little off the original topic of the post, but i've gotten past the security issue and am now trying to solve the real problem. When i run the file it produces the output: `/usr/bin/env: No such file or directory` [download] I have been told this is a problem with the file i am trying to run not being in the path. The sysadmin of the box i'm working on told me to change the shell to tcsh to fix this problem. I inserted the following code into my program to do this: `$ENV{'SHELL'} = '/usr/bin/tcsh';` [download] However this didn't fix the problem, i was just wondering if i am going at this all wrong, and there is some other way to change the shell that perl uses? Any help in this matter would be much appreciated as i have been hacking away at it for a while now and still have had no luck. - Neil	[reply] [d/l] [select]