[Techtalk] sh/perl/setuid
Laurel Fan
laurel at sdf.lonestar.org
Mon Jan 14 20:01:29 EST 2002
On Mon, Jan 14, 2002 at 06:23:16PM -0800, Nicole Zimmerman wrote:
> The perl script is the "shell" for a user that is going to be logging in
> to do these various useful things. The "shell" calls the setUID scripts
> when certain commands are entered (e.g. restartssh = "are you sure"
> confirm followed by system("sh $path_to_shell_script restart");).
I assume you're being very, very careful with those scripts, and that
no user you don't want to can get access to it, and that neither the
perl script or the shell scripts accept any input from the user
whatsoever.
Is that the actual system command you're using? In that case I don't
believe the setuid bit on $path_to_shell_script is paid attention to,
because the OS considers sh to be the executable, not
$path_to_shell_script.
There is another issue that bash sometimes silently drops root
privileges when it thinks it's running setuid.
Also, many systems, including Linux, do now allow setuid scripts.
The way to get around this is to write a really tiny setuid binary
that does 1 thing: executes the script (using the full path) with the
bare minimum environment necessary.
--
laurel at sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org
More information about the Techtalk
mailing list