Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.uwa.edu.au!classic.iinet.com.au!swing.iinet.net.au!news.uoregon.edu!cuhknntp!hpg30a.csc.cuhk.hk!agate!spool.mu.edu!howland.reston.ans.net!Germany.EU.net!Dortmund.Germany.EU.net!interface-business.de!not-for-mail From: j@interface-business.de (J Wunsch) Newsgroups: comp.unix.bsd.bsdi.misc,comp.lang.perl.misc Subject: Re: setuid perl scripts Date: 10 Oct 1995 15:54:30 +0100 Organization: interface business GmbH, Dresden Lines: 29 Message-ID: <45e1f6$2uv@ida.interface-business.de> References: <fmontes-0510951946560001@200.4.12.6> NNTP-Posting-Host: ida.interface-business.de Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:1127 comp.lang.perl.misc:4117 Felix Montes <fmontes@giga.com> wrote: >they have spent online. I need to run it setuid to check for the password. >Everything goes well until I execute: > > open(WTMP,"/usr/bin/last -f /var/log/TAC/wtmp |"); > >because then I get an > > "insecure dependency in system while running setuid at \ /usr/ns-home/cgi-bindoit.pl line 42." You don't even need a C wrapper. As you can see, Perl is clever enough about scripts running setuid... :-) (Simply make your script setuid. If all else fails, put a #!/usr/wherever/bin/suidperl on top.) Piping the output of a command is prohibited in setuid Perl scripts (since it implies a shell). The man page describes a way to work around it (in the setuid section): open(WTMP, "-|") || exec "/usr/bin/last", "-f", "/var/log/TAC/wtmp"; This avoids the shell and is therefor considered secure. -- J"org Wunsch Unix support engineer joerg_wunsch@interface-business.de [private: http://www.sax.de/~joerg/]