*BSD News Article 72790


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.wildstar.net!news.sdsmt.edu!news.mid.net!mr.net!sgigate.sgi.com!news1.best.com!svc.portal.com!shell.portal.com!shell.portal.com!not-for-mail
From: pierre@shell.portal.com (Pierre Uszynski)
Newsgroups: comp.lang.perl.misc,comp.unix.bsd.freebsd.misc,comp.unix.bsd.bsdi.misc
Subject: suid perl4 script problem and solution
Date: 3 Jul 1996 23:10:04 -0700
Organization: Portal Communications (shell)
Lines: 72
Message-ID: <4rfn7s$qom@jobe.shell.portal.com>
NNTP-Posting-Host: jobe.shell.portal.com
Keywords: taint, bsdi, freebsd, setuid
Xref: euryale.cc.adfa.oz.au comp.lang.perl.misc:31157 comp.unix.bsd.freebsd.misc:22785 comp.unix.bsd.bsdi.misc:4226


* * * Problem symptoms

on BSDI 2.1 which, unfortunately, one of my customers uses (and maybe
on some other Perl ports, maybe not limited to BSDI... such as FreeBSD)

"Suid Perl4 scripts" (actually here called from their C wrapper) die
quickly with an error message:

"Can't run setuid script with taint checks"

* * * The reason and the fix

Perl subcontracts a number of checks (and the execution I believe) of
wrapped suid scripts to 'taintperl' (sometimes called tperl), and does
not let you run suid if it cannot do that. But for that it must be able
to find taintperl in the first place.

'strings perl' shows:

%s/tperl%s
Can't run setuid script with taint checks

Normally Perl looks for something like tperl4.036 but what you need in
this case is:

tperl(nu36

Yes, I'm not kidding,  tperl(nu36 !

* * * How did that happen?

What happens is that someone took the initiative, without regard for
the consequences, to completely mess up the RCS version control string
so it becomes something like:

perl.c,v1.21993/12/22 17:08:26

whereas it is normally of the form:

$RCSfile: perl.c,v $$Revision: 4.0.1.8 $$Date: 1993/02/05 19:39:30 $

If you look through a correct version of the source code, module perl.c
(not that big), you find the version part of the taintperl program name
is built out of the RCSid more or less as:

sprintf(variable, "%3.3s%2.2d", index(rcsid,'4'), patchlevel)

index should return a pointer to a string starting in '4.0...', and
patchlevel is '36'.  Resulting in a file name version of '4.036'.
Fair enough.

Instead, index cannot find a '4' in the new, improved RCSid. It returns
a null pointer.  Sprintf turns this null pointer into a string
'(null)', then uses the first 3 characters of the string: '(nu36'.

So simply copy taintperl as tperl(nu36 and at least you'll be back
in business. Or if that doesn't work, check the various telltales I
mention and/or write up a small C test to find out what comes out of
such an sprintf on your machine. If you don't have root access, you can
always try copying perl and tperl(nu36 :-) locally, somewhere in your
search path, and it may still work.

Please let me know if you have the same problem on other platforms than
BSDI 2.1, Thanks.  (Apparently there is a similar botch in FreeBSD, see
news message 4m8l29$air@uriah.heep.sax.de)

Thank you BSDI for a delightful afternoon :-( And I hope this helps
a few of you who were having the same problem recently.
Pierre.
pierre@shell.portal.com