Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.bhp.com.au!mel.dit.csiro.au!munnari.OZ.AU!news.ecn.uoknor.edu!paladin.american.edu!gatech!news.cse.psu.edu!uwm.edu!cs.utexas.edu!howland.reston.ans.net!blackbush.xlink.net!zib-berlin.de!news.tu-chemnitz.de!irz401!uriah.heep!news From: j@uriah.heep.sax.de (J Wunsch) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Does setuid work??? Date: 1 May 1996 21:28:41 GMT Organization: Private FreeBSD site, Dresden Lines: 24 Message-ID: <4m8l29$air@uriah.heep.sax.de> References: <4m3ekt$7ar@portal.gmu.edu> <4m587t$8h6@solaris.cc.vt.edu> <4m5t78$npb@pelican.unf.edu> Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) NNTP-Posting-Host: localhost.heep.sax.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Newsreader: knews 0.9.6 caddy@osprey.unf.edu (Cliff Addy) writes: >Except that perl is *supposed* to notice the script is suid and invoke >suidperl on its own. According to the perl references I have, you should >never run suidperl directly. Of course, on freebsd you have to. This brokeness arises out of some problem with Perl's revision numbers. Perl wants to be over-eager in its security, and so it doesn't simply rely on calling ``suidperl'' when it's detecting it is about to run setuid. Instead, it wants to find ``sperl-4.036'' or something like this. Alas, Perl's revision number have been left as $RCSid$'s even in the release version, and FreeBSD maintenance of the entire source tree in CVS (which is based on RCS) finally botches the version numbers as perl sees them. However, i've never really got it why it's supposed to be dangerous to call suidperl directly in a script that wants to be setuid. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)