Re: suid perl

Write a wrapper in C for your script. Compile that and make it setuid. Something like the following should do...

int main(int argc, char** argv)
{
    execv("/path/to/your/script", argv);
}
[download]

All the usual warnings about security apply twice as much for setuid programs. The webserver runs as nobody for a reason; use extreme caution when subverting it. Of course, you are familiar with the security issues, right? And you've read perlsec? And you have taint checking on? etc. etc. etc.

-sauoq
"My two cents aren't worth a dime.";

Comment on Re: suid perl Download Code

Replies are listed 'Best First'.
Re: Re: suid perl by devslashneil (Friar) on Jun 20, 2003 at 02:43 UTC
Hi, I finally got root access and was able to try running this program as different users, this allowed me to discover that the problem wasn't with the suid, it lay in the fact that i needed to set the shell to '/usr/bin/tcsh' for it to work. However after taking your advice and writing the wrapper, i received the following error: `# ./test Content-Type: text/html; charset=ISO-8859-1 Insecure $ENV{PATH} while running setuid at ./test.pl line 12.` [download] Line 12 of test.pl is: `open(LIST,"/usr/local/mailman/bin/list_members $listname\|") \|\| die "reason: $!";` Is this because i am passing an argument to the shell, can someone please point me in the right direction security wise on how i could fix this. Thanks in advance - Neil	[reply] [d/l] [select]
Re: Re: Re: suid perl by devslashneil (Friar) on Jun 20, 2003 at 02:47 UTC
I'm sorry, I just realised that the link you posted on perlsec, Address's this issue. Please disregard the last post.	[reply]