Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?

Re^2: Changing effecive user id

by astroboy (Chaplain)
on Aug 27, 2009 at 04:51 UTC ( #791526=note: print w/replies, xml ) Need Help??

in reply to Re: Changing effecive user id
in thread Changing effecive user id

Thanks. Ok - I added perl-suid to the vendor (Redhat/CentOS) Perl and it now works. However, I still need to get it working with my hand-compiled Perl

According to perlsec:

In recent years, vendors have begun to supply systems free of this inherent security bug. On such systems, when the kernel passes the name of the set-id script to open to the interpreter, rather than using a pathname subject to meddling, it instead passes /dev/fd/3. This is a special file already opened on the script, so that there can be no race condition for evil scripts to exploit. On these systems, Perl should be compiled with -DSETUID_SCRIPTS_ARE_SECURE_NOW . The Configure program that builds Perl tries to figure this out for itself, so you should never have to specify this yourself.

So I'm guessing RHEL/CentOS 5.3 doesn't support this. But your reply got me wondering whether I should be adding suid perl to my build. The perl 5.10.0 INSTALL file doesn't mention it, other than it will be deprecated in favour of the SETUID_SCRIPTS_ARE_SECURE_NOW option that doesn't seem to be working for me. So it seems I should revert to suidperl. I couldn't see any instructions on how to do this in the INSTALL file. This didn't work for me:

make make suidperl make test make install

suidperl got created in the build directory, but the install didn't seem to do anything with it...


Replies are listed 'Best First'.
Re^3: Changing effecive user id
by astroboy (Chaplain) on Aug 27, 2009 at 05:44 UTC
    Ok, may way forward was to run Configure in interactive mode:
    Some kernels have a bug that prevents setuid #! scripts from being secure. Some sites have disabled setuid #! scripts because of this. First let's decide if your kernel supports secure setuid #! scripts. (If setuid #! scripts would be secure but have been disabled anyway, don't say that they are secure if asked.) If you are not sure if they are secure, I can check but I'll need a username and password different from the one you are using right now. If you don't have such a username or don't want me to test, simply enter 'none'. Other username to test security of setuid scripts with? [none] <my use +rname> "su" will (probably) prompt you for <my username>'s password. I don't think setuid scripts are secure. Does your kernel have *secure* setuid scripts? [n] Some systems have disabled setuid scripts, especially systems where setuid scripts cannot be secure. On systems where setuid scripts have been disabled, the setuid/setgid bits on scripts are currently useless. It is possible for perl5 to detect those bits and emulate setuid/setgid in a secure fashion. This emulation will only work if setuid scripts have been disabled in your kernel. Do you want to do setuid/setgid emulation? [n] y
    So are there any switches I can provide to Configure or make to avoid having to use interactive setup ('make -DENABLE_SUIDPERL"TRUE" install clean' didn't work for me)

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://791526]
and the monastery is silent...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (5)
As of 2017-07-21 18:22 GMT
Find Nodes?
    Voting Booth?
    I came, I saw, I ...

    Results (333 votes). Check out past polls.