Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Re: How do I execute as root?

by Fastolfe (Vicar)
on Nov 14, 2000 at 01:00 UTC ( #41428=note: print w/ replies, xml ) Need Help??


in reply to How do I execute as root?

You should just be able to make the script setuid (chmod u+s) and owned by root. (The root user will have to do this.) Be sure your script runs file with taint-checking enabled. This will require some sanity checks against the $USER variable.


Comment on Re: How do I execute as root?
RE: Re: How do I execute as root?
by Kurious (Novice) on Nov 14, 2000 at 01:06 UTC
    Thank you for your quick reply. However, I'm new to Perl and Unix for that matter. Please elaborate or point me in the right direction for "taint-checking" and what type of sanity checking to do on the $USER variable.

    Just,
    Kurious

      Check out perlsec, which explains it all. Basically, since you'll be running this as root (with information that is supplied by the user), you need to be certain $USER doesn't contain any evil or harmful characters. If you let the user specify a username of, like, "../../bin", you'd be creating directories and things in very bad places. A simple sanity check should suffice:
      ($USER) = $cgi->param('user') =~ /(\w+)/;
      This would only permit normal alphanumeric characters into $USER, and un-taint it in the process. With taint-checking enabled (-T), Perl will die before letting you use arbitrary user-supplied (or potentially unsafe) information in any critical system calls (like chdir, unlink, open, etc.). Update: Other posts below advocate using a separate script to perform the actual updates as root, and I agree with them 100%. It's infinitely more secure if you keep the user from interacting directly with a setuid script at all. A buffer (in the form of semaphore files or a socket connection) is a better solution to your problem.

      The main perl documentation on taint checking is IIRC in perlrun {my $update = "d'oh ... no it isn't. Fastolfe's right ... but there is some info on -T in this page" }.

      Our own Ovid is currently writing a CGI scripting tutorial, which has some info on security. Try also searching on "taint mode" and "CGI security" and the like on this site to see the fossilized ... err, collected wisdom monks have offered so far.

      Happy coding!

      Philosophy can be made out of anything. Or less -- Jerry A. Fodor

RE: Re: How do I execute as root?
by le (Friar) on Nov 14, 2000 at 03:15 UTC
    On Unix systems (OK, I just can tell about FreeBSD and Linux) a script can't be setuid root.

    (Was there something concerning kernel security level...?)
      Works for me:
      (fastolfe) eddie:~$ ls -l test -rwsrwxr-x 1 root fastolfe 53 Nov 13 16:17 test (fastolfe) eddie:~$ ./test uid=500 euid=0 (fastolfe) eddie:~$ cat test #!/usr/bin/perl printf("uid=%d euid=%d\n", $<, $>); (fastolfe) eddie:~$ uname -a Linux eddie.intranet 2.2.16 #1 Thu Jun 8 17:46:12 CDT 2000 i586 unknow +n
      You may have to swap uid/euid as needed, though:
      ($<, $>) = ($>, $<);

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://41428]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (5)
As of 2014-12-27 14:05 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (177 votes), past polls