[Techtalk] sh/perl/setuid
Almut Behrens
almut_behrens at yahoo.com
Tue Jan 15 06:34:03 EST 2002
On Mon, Jan 14, 2002 at 07:10:05PM -0800, Nicole Zimmerman wrote:
> <snip>
>
> > The way to get around this is to write a really tiny setuid binary
> > that does 1 thing: executes the script (using the full path) with the
> > bare minimum environment necessary.
>
> I was hoping to keep it simple ;o) Unfortunately simple is not always
> secure, correct, or the best way.
a trivial example of such a setuid wrapper (plus some discussion) can
be found in the perlsec manpage -- from your perl installation or here:
http://www.perldoc.com/perl5.6/pod/perlsec.html
Also, the following page has a nice and short description of the
typical security gotchas of setuid scripts:
http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html
Although the page is titled "How can I get setuid shell scripts to work?"
be warned that it principally doesn't work like this under linux,
except you tweak some parameters, which is not necessarily a good idea...
(sorry that this is not as detailed as my usual rants, but it's 5:30 am
over here, and even the most hardcore geek needs a couple of hours
sleep in between days -- luckily I don't have to start working at 7 am ;)
Cheers,
Almut
More information about the Techtalk
mailing list