[Techtalk] sh/perl/setuid

Almut Behrens almut_behrens at yahoo.com
Tue Jan 15 06:34:03 EST 2002


On Mon, Jan 14, 2002 at 07:10:05PM -0800, Nicole Zimmerman wrote:
> <snip>
> 
> > The way to get around this is to write a really tiny setuid binary
> > that does 1 thing: executes the script (using the full path) with the
> > bare minimum environment necessary.
> 
> I was hoping to keep it simple ;o) Unfortunately simple is not always
> secure, correct, or the best way.

a trivial example of such a setuid wrapper (plus some discussion) can
be found in the perlsec manpage -- from your perl installation or here:

http://www.perldoc.com/perl5.6/pod/perlsec.html

Also, the following page has a nice and short description of the
typical security gotchas of setuid scripts:

http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html

Although the page is titled "How can I get setuid shell scripts to work?"
be warned that it principally doesn't work like this under linux,
except you tweak some parameters, which is not necessarily a good idea...

(sorry that this is not as detailed as my usual rants, but it's 5:30 am
over here, and even the most hardcore geek needs a couple of hours
sleep in between days -- luckily I don't have to start working at 7 am ;)

Cheers,
Almut




More information about the Techtalk mailing list