Determining if a script is running setuid

crashtest has asked for the wisdom of the Perl Monks concerning the following question:

Greetings, Monks.

As I start typing this, I realize I may be asking more of a UNIX question than a Perl question, but Perl is my tool of choice... so please bear with me.

I am experimenting with creating a setuid script. I've done this once successfully in the past. But if I create the script, set the appropriate permissions, then run it as a different user, my effective user id does not change.

The little test script looks like this:

owner> cat setuid_program
#!/usr/bin/perl -wT

use POSIX;

my $uid  = getuid()  or die "Failed to determine user id.";
my $euid = geteuid() or die "Failed to determine effective user id.";

print "UID = $uid, EUID = $euid.\n";
[download]

I set permissions as follows:

owner> chmod 04755 setuid_program
owner> ls -l setuid_program
-rwsr-xr-x 1 owner owner 202 2007-07-25 18:40 setuid_program
owner> id -u
20375
[download]

If I then log in as another user (call him guest) I do the following:

guest> id -u
20244
guest> ./setuid_program 
UID = 20244, EUID = 20244.
[download]

What I expected was UID = 20244, EUID = 20375. That is, I expected my effective user id to be the script's owner, not the user running the script.

At this point, I wonder if I am misinterpreting the results of geteuid, or if I am missing something fundamental with respect to how setuid scripts work. Is there a better way to do this test? Or is the test showing me the correct result, and the script is not in fact running setuid for some reason?

I'll admit that my knowledge has been passed down from google, which doesn't always guarantee comprehensive coverage of a topic, nor accuracy.

I am running this on a Solaris 8 machine.

Thanks in advance for any pointers or hints.

UPDATE: mr_mischief was right. The filesystem is mounted to specifically not allow setuid:

owner> mount -p
...
/the/device/ - /my/mountpoint nfs - no rw,soft,intr,nosuid,xattr
[download]

I had not known you could do that.

Thanks also to kyle; nice catch on my or die ... code there. I guess it's moot now, but I wouldn't have ever run as root anyway.

Comment on Determining if a script is running setuid Select or Download Code

Replies are listed 'Best First'.
Re: Determining if a script is running setuid by mr_mischief (Monsignor) on Jul 26, 2007 at 02:36 UTC
The first thing to check might be whether or not you can do setuid on a Perl program on your system. Not all operating systems support setuid on non-compiled programs (or "text binaries" as they're sometimes called -- anything with a shebang line). Not all installations of operating systems that do support them are configured to allow them. Second, check perlsec for its information on setuid things. Third, if you can see the mount options for your filesystems, check to see if the "nosuid" option is set where you're trying to use setuid.	[reply]
Re: Determining if a script is running setuid by kyle (Abbot) on Jul 26, 2007 at 04:07 UTC
I think mr_mischief's suggestions are good ones. I have a couple other notes. According to the POSIX documentation, `getuid` is the same as `$<` and `geteuid` is the same as `$>` (see perlvar). If you're running as root (uid 0), your failure tests are going to trigger even on success. `kyle@sulaco:~ $ perl -le 'use English;print "uid: $UID, euid: $EUID"' uid: 501, euid: 501 kyle@sulaco:~ $ sudo perl -le 'use English;print "uid: $UID, euid: $EU +ID"' Password: uid: 0, euid: 0` [download]	[reply] [d/l] [select]


Do you know where your variables are?
	PerlMonks