cmac has asked for the wisdom of the Perl Monks concerning the following question:

Operation of our web site needs a control panel provided by our hosting provider, which uses suidperl to authenticate and log us in.

I just carefully built a perl5.8.9 from source, to be "just like" the perl5.8.7 that the hosting provider provided with the site, under which the control panel operates correctly.

Did a perl5.8.7 -V:config_args and used the same Configure arguments to build 5.8.9, plus added an "extra lib" or two to make the @INC of the resultant 5.8.9 include all of the directories that perl5.8.7 has. Except of course that for 5.8.9, the 5.8.7 directories are lower in the search order than they were for 5.8.7.

Said arguments include -Dd_dosuid=define, which made the Configure query "Do you want to do setuid/setgid emulation?" get answered "yes".

Unfortunately the resulting 5.8.9 cannot run the control panel. Trying to use it from a web browser leads to the following message in the error_log:
suidperl needs (suid) fd script

If I change the bang lines of all the .cgi files in the control panel from "perl" to "perl5.8.7", the control panel becomes usable again. This is true even though the "suidperl" now in /usr/local/bin is one that has the same size and mod date as 5.8.9!

If I put a "print STDERR" right at the start of the index.cgi script, the error occurs without the print output appearing in error_log.

Googling the above error message yields several questions that people have asked in various forums over the years, with few to none being answered. So it seems this is a hard problem. Any help as to how to attack the problem or where to look for information bearing on it would be much appreciated, O great monks...

Thanks,
cmac
www.animalhead.com

Replies are listed 'Best First'.
Re: suidperl doesn't work in newly built perl
by almut (Canon) on Dec 21, 2008 at 02:58 UTC

    I think you should also have the suid helper program sperl5.8.9 (which will be called by perl) with the s-bit on (i.e. permissions -rwsr-xr-x, owner root). — What system is this, btw? Linux?

    (Also see the paragraph suidperl less insecure in perl584delta.)

[reply]
[d/l]
[select]
      I'm on FreeBSD 6.3-RELEASE #2

      In /usr/local/bin:
      -rws--x--x  1 root  wheel  949226 Nov 14  2005 sperl5.8.7
-rws--x--x  1 root  wheel  951625 Dec 19 23:07 sperl5.8.9
-rwxr-xr-x  3 root  wheel  951373 Dec 19 23:07 suidperl

      [download]
      Since the permissions are the same for both the sperl5.8.7 and 5.8.9, should the lack of 044 (r's for group and others) be a concern?

      To jagh: my IHP set up their control panel to use suidperl. If it works in the 5.8.7 that the IHP built, its being deprecated doesn't have much bearing on my problem. To my reading, the perldelta page you cite includes both negative and positive things about suidperl, possibly written by different people.

      Hoping for more words from you folks and perhaps others,
      cmac
[reply]
[d/l]
Re: suidperl doesn't work in newly built perl
by jagh (Monk) on Dec 21, 2008 at 04:52 UTC

    I believe suidperl has been deprecated since 5.8.0, unless someone fixed it. See 5.8.0's perldelta.

[reply]
Re: suidperl doesn't work in newly built perl
by cmac (Monk) on Dec 22, 2008 at 05:54 UTC
    Found and fixed:
    in perl.c in release 5.8.9, line 3727 is        if (*suidscript) {
                                      should be if (*suidscript != 1) 
+{

    [download]
    cmac
    www.animalhead.com
[reply]
[d/l]

      Perlmonks is not the place for reporting bugs in Perl. Please see the Perldoc site for the proper answer. Please use the methods listed there for reporting bugs, and explain why that change is needed.

[reply]
        Perlmonks is a place where people should ask questions. Usually when asking a question you don't expect it to be a bug in Perl. Or if it is you expect someone else to have found it already and there to be a workaround. Therefore it is perfectly appropriate to ask on Perlmonks about things that might be bugs in Perl.

        Now new bugs obviously should be reported through the proper channels. But you should encourage people to do that in addition to having asked the appropriate question here rather than telling them to do it instead of posting here.

[reply]
        Yes I reported the problem, bug and fix via perlbug, before sending the news to perlmonks. It seemed appropriate to close out the thread by reporting it here too. The problem will hit anyone who tries to use 5.8.9 for SUID operation.

        The problem was described by my previous messages in the thread...
[reply]

Back to Seekers of Perl Wisdom