Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!nntp.coast.net!sgigate.sgi.com!spool.mu.edu!howland.reston.ans.net!Germany.EU.net!Dortmund.Germany.EU.net!interface-business.de!usenet From: j@ida.interface-business.de (J Wunsch) Newsgroups: comp.lang.perl.misc,comp.unix.bsd.freebsd.misc,comp.unix.bsd.bsdi.misc Subject: Re: suid perl4 script problem and solution Date: 4 Jul 1996 11:29:42 GMT Organization: interface business GmbH, Dresden Lines: 41 Message-ID: <4rg9v6$gaa@innocence.interface-business.de> References: <4rfn7s$qom@jobe.shell.portal.com> Reply-To: joerg_wunsch@interface-business.de (Joerg Wunsch) NNTP-Posting-Host: ida.interface-business.de X-Newsreader: knews 0.9.6 X-Phone: +49-351-31809-14 X-Fax: +49-351-3361187 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Xref: euryale.cc.adfa.oz.au comp.lang.perl.misc:31179 comp.unix.bsd.freebsd.misc:22812 comp.unix.bsd.bsdi.misc:4232 pierre@shell.portal.com (Pierre Uszynski) wrote: > 'strings perl' shows: > > %s/tperl%s > Can't run setuid script with taint checks > > Normally Perl looks for something like tperl4.036 but what you need in > this case is: > > tperl(nu36 > > Yes, I'm not kidding, tperl(nu36 ! > > * * * How did that happen? > > What happens is that someone took the initiative, without regard for > the consequences, to completely mess up the RCS version control string > so it becomes something like: > > perl.c,v1.21993/12/22 17:08:26 > > whereas it is normally of the form: > > $RCSfile: perl.c,v $$Revision: 4.0.1.8 $$Date: 1993/02/05 19:39:30 $ That's what the Perl authors get from abusing RCS id strings for this purpose. The RCS ids get mucked with on each CVS checkout, and since BSDi (and FreeBSD, for that matter) maintain the Perl code locally in CVS, these strings get damaged. For BSD/OS, it looks like it were the result of a ``cvs export'' operation, where even the $'s are being stripped. FreeBSD's workaround was to no longer use the original RCS magic strings, but hardcode the actual version and patchlevel to 4 and 36. -- J"org Wunsch Unix support engineer joerg_wunsch@interface-business.de http://www.interface-business.de/~j