From owner-freebsd-questions  Fri Jun  1 18:36:39 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from heechee.tobez.org (254.adsl0.ryv.worldonline.dk [213.237.10.254])
	by hub.freebsd.org (Postfix) with ESMTP
	id E8B0137B423; Fri,  1 Jun 2001 18:36:29 -0700 (PDT)
	(envelope-from tobez@tobez.org)
Received: by heechee.tobez.org (Postfix, from userid 1001)
	id 83EE75422; Sat,  2 Jun 2001 03:36:28 +0200 (CEST)
Date: Sat, 2 Jun 2001 03:36:28 +0200
From: Anton Berezin <tobez@tobez.org>
To: "Dan Mahoney, System Admin" <danm@prime.gushi.org>
Cc: security@freebsd.org, questions@freebsd.org
Subject: Re: SetUID shell/perl scripts.
Message-ID: <20010602033628.A78867@heechee.tobez.org>
Mail-Followup-To: Anton Berezin <tobez@tobez.org>,
	"Dan Mahoney, System Admin" <danm@prime.gushi.org>,
	security@freebsd.org, questions@freebsd.org
References: <Pine.BSF.4.21.0106011839340.95298-100000@prime.gushi.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0106011839340.95298-100000@prime.gushi.org>; from danm@prime.gushi.org on Fri, Jun 01, 2001 at 07:00:27PM -0400
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, Jun 01, 2001 at 07:00:27PM -0400, Dan Mahoney, System Admin wrote:

> In articles dating as far back as 1997, I see people saying that
> freeBSD doesn't support setuid shell scripts.

That's true.

> Does the system make an exception for apache?  Because I'm able to run
> setuid root cgi scripts (and they're /usr/bin/perl, not
> /usr/bin/suidperl, although they still perform taint checking)  (yes,
> I know, dangerous).  

Upon startup, /usr/bin/perl notes that the script is setuid, and
launches /usr/bin/suidperl, if `setuid script emulation' was enabled
during perl configuration process.

In FreeBSD, it is enabled and such scripts work.

Hence, more recent versions of FreeBSD set mode 0511 on
/usr/bin/suidperl by default (this is controlled with ENABLE_SUIDPERL
/etc/make.conf knob).

Consider:

$ sudo sh
# cat >toobad.pl
#! /usr/bin/perl
print "$> $<\n";
^D
# chmod 4755 toobad.pl
# chmod 511 /usr/bin/suidperl
# ^D
$ ./toobad.pl
Can't do setuid; ensure that the setuid bit is set on suidperl
$ sudo sh
# chmod 4511 /usr/bin/suidperl
# ^D
$ ./toobad.pl
0 1001

Hope this helps,
Cheers,
%Anton.
-- 
May the tuna salad be with you.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message