From owner-freebsd-hackers Mon Feb 24 15:25:54 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id PAA28215 for hackers-outgoing; Mon, 24 Feb 1997 15:25:54 -0800 (PST) Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id PAA28192 for ; Mon, 24 Feb 1997 15:25:41 -0800 (PST) Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id AAA05960 for hackers@freebsd.org; Tue, 25 Feb 1997 00:25:33 +0100 Received: (from j@localhost) by uriah.heep.sax.de (8.8.5/8.8.5) id WAA01433; Mon, 24 Feb 1997 22:55:08 +0100 (MET) Message-ID: Date: Mon, 24 Feb 1997 22:55:08 +0100 From: j@uriah.heep.sax.de (J Wunsch) To: hackers@freebsd.org Subject: Re: disallow setuid root shells? References: <199702240549.VAA01306@lightside.com> X-Mailer: Mutt 0.55-PL10 Mime-Version: 1.0 X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) In-Reply-To: ; from Adrian Chadd on Jan 8, 1996 04:35:15 +0800 Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk As Adrian Chadd wrote: > From what I remember, perl has a > c-wrapper that it runs before running a setuid shell script that fixes up > the environment and other nice things, then runs the script. No, that's not just a C-wrapper. See my other posting. > By default, > if you use the setuid copy of perl as a script interpreter > (#!/usr/bin/sperl) and it detects that the script IS setuid root, it will > run it. That's an option, but not FreeBSD's default. On FreeBSD, you need to explicitly mention suidperl in the #! line. > If not, it won't run the script as root. I simply disable it on my > systems. ...and use hand-written setuid C programs instead? :-) I bet there are more security problems in them than in all setuid Perl scripts on the world. :-) -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)