in reply to Re^3: why does perl-suid not mount
in thread why does perl-suid not mount

I'll look into that. Just for curiosity, what exactly is the advantage over suidperl?

I understand the race condition issue, but the shell forks and calls execve() just as the wrapper code does. So, if there is anyone who can write root owned files (resp. links to them), the attack should work with the wrapper as well. Besides that an attacker who can write root owned files, would probably do something simpler than exploiting this race condition.

Replies are listed 'Best First'.
Re^5: why does perl-suid not mount
by Corion (Patriarch) on Nov 10, 2010 at 13:48 UTC

    I think at least part of the problem is that the script is setuid, and there is/was a race condition in kernels when they execute a script and then launch the (non-setuid) interpreter for (what the kernel believes to be) that script, which in turn tries again to load the script. If you are/were careful to introduce a high CPU load and launched the whole conoction through a symlink, you could readdress the symlink to point somewhere of your choosing in the time between when the kernel launched the interpreter and when the interpreter read the script to process.

    Note that all my experience here is from hearsay - I've never looked into the real mechanics of various kernels.

[reply]

In Section Seekers of Perl Wisdom