correctly dropping privileges 
Author Message
 correctly dropping privileges

I am writing a script in Perl that is intended to be run setuid root, and I
discovered that dropping privileges is not as straightforward as I expected.
The problems are 1) the exact semantics of setting $> and $< are not
specified; 2) it is not clear what system functions are called then they are
set; and 3) I did not find any information about the fairly important
operation of dropping privileges in the documentation.

To be clear about the goal, the perl script will start with the effective
uid ($>) set to 0 (root) and the real uid ($<) set to, say, 1000.  I can
easily set both to 1000 or to some other value by setting the Perl
variables.  However, I want to ensure that no code will be able to change
them back.

I was initially surprised that

$> = 1000;  # Effective uid
$< = 1000;  # Real uid
# Are root privileges dropped now??
$> = 0;     # Effective uid

kept the effective uid at 1000, but

$< = 1000;  # Real uid
$> = 1000;  # Effective uid
# Are root privileges dropped now??
$> = 0;     # Effective uid

set the effective uid back to 0 (Perl 5.005_03 on Solaris 2.5.1).  I
remained confused until I traced perl and read the Solaris documentation.  I
learned that setting $< calls the setreuid function, which has interesting
effects on the saved uid, which affects the ability to change uid later.  In
particular, the apparent no-op of setting $< to its old value of 1000 in the
first example also set the saved uid to the effective uid, ie 1000.  Once
all three uid's are 1000, it should be impossible to go back.

Incidentally, since I intend to exec after dropping privileges, I hoped that
exec would set the saved uid to the effective uid, making the first example
as secure as the second.  However, according to the Solaris documentation
the saved uid survives exec, so no luck there.

The question is whether I can rely on the second sequence to correctly drop
privileges, perhaps at least on a reasonable subset of Perl platforms.  My
fear is that there are enough different things that $> and $< could map to
that nobody can be sure.

If this sequence is reliable, I would love to see it documented in some of
perlvar, perlsec and perlfaq.


Mon, 25 Mar 2002 03:00:00 GMT  
 [ 1 post ] 

 Relevant Pages 

1. Delphi and Paradox - Performance

2. Need Help! Recursive programming: shortest route

3. $< and $> - permanently dropping privileges

4. Batch process all dropped files upon dropping them into a drop site?

5. how to solve when no root privilege?

6. ora_login with SYSDBA privileges

7. administrator insufficient privileges

8. How to install a module without AD privilege??

9. write privilege for script.

10. Wrapper for constructing a privileged socket

11. Scripts with root privileges

12. NTPerl and privileges


Powered by phpBB® Forum Software