Date: Sat, 2 Jun 2001 03:36:28 +0200 From: Anton Berezin <tobez@tobez.org> To: "Dan Mahoney, System Admin" <danm@prime.gushi.org> Cc: security@freebsd.org, questions@freebsd.org Subject: Re: SetUID shell/perl scripts. Message-ID: <20010602033628.A78867@heechee.tobez.org> In-Reply-To: <Pine.BSF.4.21.0106011839340.95298-100000@prime.gushi.org>; from danm@prime.gushi.org on Fri, Jun 01, 2001 at 07:00:27PM -0400 References: <Pine.BSF.4.21.0106011839340.95298-100000@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 01, 2001 at 07:00:27PM -0400, Dan Mahoney, System Admin wrote: > In articles dating as far back as 1997, I see people saying that > freeBSD doesn't support setuid shell scripts. That's true. > Does the system make an exception for apache? Because I'm able to run > setuid root cgi scripts (and they're /usr/bin/perl, not > /usr/bin/suidperl, although they still perform taint checking) (yes, > I know, dangerous). Upon startup, /usr/bin/perl notes that the script is setuid, and launches /usr/bin/suidperl, if `setuid script emulation' was enabled during perl configuration process. In FreeBSD, it is enabled and such scripts work. Hence, more recent versions of FreeBSD set mode 0511 on /usr/bin/suidperl by default (this is controlled with ENABLE_SUIDPERL /etc/make.conf knob). Consider: $ sudo sh # cat >toobad.pl #! /usr/bin/perl print "$> $<\n"; ^D # chmod 4755 toobad.pl # chmod 511 /usr/bin/suidperl # ^D $ ./toobad.pl Can't do setuid; ensure that the setuid bit is set on suidperl $ sudo sh # chmod 4511 /usr/bin/suidperl # ^D $ ./toobad.pl 0 1001 Hope this helps, Cheers, %Anton. -- May the tuna salad be with you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010602033628.A78867>