Re: change process's effective uid

Ahh yes. Wise question Anonymous One. Perl is far beyond using function calls for this. Why use function calls when we have variables like $< and $> ?!?!

$< or $UID
"The real user ID of this process."

$>
$EUID
"The effective uid of this process"

Thus speaks the Holy Camel Book of Knowledge Light of the World.
so...

$< = $>   #set real to effective uid
($<,$>) = ($>,$<);   #swap real and effective uid
[download]

Obviously, these require you to be running setuid.Go and rejoice in your new learning.
---
crulx
crulx@iaxs.net

Comment on Re: change process's effective uid Download Code

Replies are listed 'Best First'.
Re: Re: change process's effective uid by sierrathedog04 (Hermit) on Feb 11, 2001 at 00:28 UTC
My related question is when it is ever safe to use suid to change the user id of an Apache Perl CGI script to a user with some administrative privileges. I want to use Lincoln Stein's user_manage Perl module to allow Apache users to remotely change their own passwords. Stein provides some different ways to do it. One way involves: Designate a directory that will hold the various password and group files, for example /etc/httpd/security. Make it owned and writable by a specially-designated "web administrator" account, for example "www". Now, running as root, change the ownership of user_manage to "www" and set its "s" bit: Is there any danger in doing so? My concern is that the user_manage documentation may be assuming that "everyone knows" not to engage in a particular coding practice when running suid, but I am still a beginner (<1 year Perl/Unix) and I don't know. I intend to use CGI.pm param() to parse the form variables after they are submitted, and I intend to avoid doing foolish things like my $form_variable = param("form_variable"); `form_variable`; [download] I also will prevent users from uploading form variables which contain values other than letters and numbers. Just to be safe, I may also ban words like 'eval' and 'system' from form variables along with parentheses and backticks.	[reply] [d/l]

Replies are listed 'Best First'.

Re: Re: change process's effective uid
by sierrathedog04 (Hermit) on Feb 11, 2001 at 00:28 UTC

I want to use Lincoln Stein's user_manage Perl module to allow Apache users to remotely change their own passwords. Stein provides some different ways to do it. One way involves:

Designate a directory that will hold the various password and group files, for example /etc/httpd/security. Make it owned and writable by a specially-designated "web administrator" account, for example "www". Now, running as root, change the ownership of user_manage to "www" and set its "s" bit:

my $form_variable = param("form_variable");
`form_variable`;
[download]

I also will prevent users from uploading form variables which contain values other than letters and numbers. Just to be safe, I may also ban words like 'eval' and 'system' from form variables along with parentheses and backticks.

[reply]
[d/l]