No -e allowed in setuid scripts? 
Author Message
 No -e allowed in setuid scripts?

I'm curious:  what is the insecure scenario which the above error
message is trying to protect against?

1) If the perl binary itself is setuid, then that seems at least as
insecure as having it read a script from the command line.  If the
perl binary is not setuid, then either 2) a setuid script file with
#!...perl is being executed, in which case -e is not being used, or 3)
perl is being called by another program which is setuid, in which case
why not let that program call perl -e as it wants to?

I guess I must be missing something but, in any case, it sure is
inconvenient.  My case falls into #3 above -- a setuid program wants
to make use of perl's services via -e without creating a separate file
to hold the one line script.  But the error message forces a separate
script file with no apparent increase in security.

Can anyone explain?

-- John Wiersba



Tue, 19 Jul 2005 10:13:48 GMT  
 
 [ 1 post ] 

 Relevant Pages 

1. Switch off Access lazy Writer

2. hey

3. Pre-announce: ChimneySweep 1.0 - "Mr. Client, Push this button to fix it!" - Interested (Y/N)?

4. TDBEdit - trapping input errors

5. no -e allowed in setuid scripts?

6. Setuid shell scripts not allowed

7. No -e allowed in setuid scripts

8. Only allow once instance of a script?

9. how to only allow calls to perl or cgi script from certain page

10. Any Units for printing?

11. Problems in using Delphi with an access 2.0 database...

12. Database protection

 

 
Powered by phpBB® Forum Software