Date: Mon, 18 Apr 2005 18:48:37 +0600 (YEKST) From: "Sergey N. Voronkov" <serg@tmn.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/80069: lang/perl5.8 doesn't make a valid symlink to suidperl Message-ID: <200504181248.j3ICmbvK078968@sv.tech.sibitex.tmn.ru> Resent-Message-ID: <200504181250.j3ICo2Dd012009@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 80069
>Category: ports
>Synopsis: lang/perl5.8 doesn't make a valid symlink to suidperl
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 18 12:50:01 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Sergey N. Voronkov
>Release: FreeBSD 5.4-RC2 i386
>Organization:
Sibitex JSC
>Environment:
System: FreeBSD sv.tech.sibitex.tmn.ru 5.4-RC2 FreeBSD 5.4-RC2 #1: Fri Apr 15 12:42:01 YEKST 2005 serg@sv.tech.sibitex.tmn.ru:/usr/obj/usr/src/sys/SV i386
>Description:
use.perl doesn't make a valid symlink to suidperl in /usr/bin.
According to perl584delta:
<CITE>
suidperl less insecure
Paul Szabo has analysed and patched "suidperl" to remove existing known
insecurities. Currently there are no known holes in "suidperl", but
previous experience shows that we cannot be confident that these were
the last. You may no longer invoke the set uid perl directly, so to
preserve backwards compatibility with scripts that invoke
#!/usr/bin/suidperl the only set uid binary is now "sperl5.8."n
("sperl5.8.4" for this release). "suidperl" is installed as a hard link
to "perl"; both "suidperl" and "perl" will invoke "sperl5.8.4" automat-
ically the set uid binary, so this change should be completely trans-
parent.
</CITE>
It is much more accurate to:
ln -sf /usr/local/sbin/suidperl /usr/bin/suidperl
>How-To-Repeat:
make ENABLE_SUIDPERL=yes install
Try to run anything suidperl...
>Fix:
--- use.perl.org Mon Apr 18 18:30:50 2005
+++ use.perl Mon Apr 18 18:42:13 2005
@@ -133,12 +133,14 @@
echo " Removing /usr/bin/$binary"
fi
bin=`echo $binary | /usr/bin/sed -e 's!perl5!perl!'`
- bin=`echo $bin | /usr/bin/sed -e 's!suidperl!sperl!'`
if [ -e "/usr/bin/$binary.XXX" ] ; then
echo " *** /usr/bin/$binary is still there, which should not happen"
elif [ -e "$PKG_PREFIX/bin/${bin}%%PERL_VERSION%%" ] ; then
echo " Symlinking $PKG_PREFIX/bin/${bin}%%PERL_VERSION%% to /usr/bin/$binary"
/bin/ln -sf "$PKG_PREFIX/bin/${bin}%%PERL_VERSION%%" "/usr/bin/$binary"
+ elif [ -e "$PKG_PREFIX/bin/${bin}" ] ; then
+ echo " Symlinking $PKG_PREFIX/bin/${bin} to /usr/bin/$binary"
+ /bin/ln -sf "$PKG_PREFIX/bin/${bin}" "/usr/bin/$binary"
else
echo " *** $PKG_PREFIX/bin/${bin}%%PERL_VERSION%% is not there, a symlink won't do any good"
fi
@@ -168,8 +170,11 @@
echo " *** /usr/bin/$binary is there, which should not happen"
else
bin=`echo $binary | /usr/bin/sed -e 's!perl5!perl!'`
- bin=`echo $bin | /usr/bin/sed -e 's!suidperl!sperl!'`
- bins=`/bin/ls /usr/bin/${bin}5.* 2>/dev/null | /usr/bin/sort`
+ if [ ${bin} != "suidperl" ] ; then
+ bins=`/bin/ls /usr/bin/${bin}5.* 2>/dev/null | /usr/bin/sort`
+ else
+ bins=`/bin/ls /usr/bin/${bin} 2>/dev/null | /usr/bin/sort`
+ fi
bin=""
for b in $bins
do
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504181248.j3ICmbvK078968>