*BSD News Article 67436


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.bhp.com.au!mel.dit.csiro.au!munnari.OZ.AU!news.ecn.uoknor.edu!paladin.american.edu!gatech!news.cse.psu.edu!uwm.edu!cs.utexas.edu!howland.reston.ans.net!blackbush.xlink.net!zib-berlin.de!news.tu-chemnitz.de!irz401!uriah.heep!news
From: j@uriah.heep.sax.de (J Wunsch)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Does setuid work???
Date: 1 May 1996 21:28:41 GMT
Organization: Private FreeBSD site, Dresden
Lines: 24
Message-ID: <4m8l29$air@uriah.heep.sax.de>
References: <4m3ekt$7ar@portal.gmu.edu> <4m587t$8h6@solaris.cc.vt.edu>
  <4m5t78$npb@pelican.unf.edu>
Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
NNTP-Posting-Host: localhost.heep.sax.de
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Newsreader: knews 0.9.6

caddy@osprey.unf.edu (Cliff Addy) writes:

>Except that perl is *supposed* to notice the script is suid and invoke 
>suidperl on its own. According to the perl references I have, you should
>never run suidperl directly.  Of course, on freebsd you have to.

This brokeness arises out of some problem with Perl's revision
numbers.  Perl wants to be over-eager in its security, and so it
doesn't simply rely on calling ``suidperl'' when it's detecting it is
about to run setuid.  Instead, it wants to find ``sperl-4.036'' or
something like this.  Alas, Perl's revision number have been left as
$RCSid$'s even in the release version, and FreeBSD maintenance of the
entire source tree in CVS (which is based on RCS) finally botches the
version numbers as perl sees them.

However, i've never really got it why it's supposed to be dangerous to
call suidperl directly in a script that wants to be setuid.

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)