no -e allowed in setuid scripts? 
Author Message
 no -e allowed in setuid scripts?

I'm curious:  what is the insecure scenario which the above error
message is trying to protect against?

1) If the perl binary itself is setuid, then that seems at least as
insecure as having it read a script from the command line.  If the
perl binary is not setuid, then either 2) a setuid script file with
#!...perl is being executed, in which case -e is not being used, or 3)
perl is being called by another program which is setuid, in which case
why not let that program call perl -e as it wants to?

I guess I must be missing something but, in any case, it sure is
inconvenient.  My case falls into #3 above -- a setuid program wants
to make use of perl's services via -e without creating a separate file
to hold the one line script.  But the error message forces a separate
script file with no apparent increase in security.

Can anyone explain?

-- John Wiersba



Wed, 20 Jul 2005 18:49:26 GMT  
 no -e allowed in setuid scripts?

Quote:

>I'm curious:  what is the insecure scenario which the above error
>message is trying to protect against?

setuid scripts are an instance of a perl program running in Taint
mode.

In taint mode, all filenames must be untainted before being used. It
may be that there is no risk in -e, however there is a possibility,
and therefore the safe thing is to ensure that the program detaints
the value before using it, so that the programmer is forced to think
about the risk.



Wed, 20 Jul 2005 19:24:06 GMT  
 no -e allowed in setuid scripts?

Quote:
> I'm curious:  what is the insecure scenario which the above error
> message is trying to protect against?

> 1) If the perl binary itself is setuid, then that seems at least as
> insecure as having it read a script from the command line.  If the
> perl binary is not setuid, then either 2) a setuid script file with
> #!...perl is being executed, in which case -e is not being used, or 3)
> perl is being called by another program which is setuid, in which case
> why not let that program call perl -e as it wants to?

> I guess I must be missing something but, in any case, it sure is
> inconvenient.  My case falls into #3 above -- a setuid program wants
> to make use of perl's services via -e without creating a separate file
> to hold the one line script.  But the error message forces a separate
> script file with no apparent increase in security.

> Can anyone explain?

There isn't much to explain.  Taint mode isn't terribly intelligent
and works on a rather-safe-than-sorry basis.  In this case, whatever
comes in via "-e" is considered tainted, and Perl will not eval() it.

If your system, and the language your setuid program is written in
permit it, you can remove the safety net by setting the real userid
to the one you're running under (setuid( geteuid()) in C).  Then
Perl will run without taint mode.

Anno



Wed, 20 Jul 2005 21:28:50 GMT  
 
 [ 3 post ] 

 Relevant Pages 

1. No -e allowed in setuid scripts?

2. Setuid shell scripts not allowed

3. No -e allowed in setuid scripts

4. Only allow once instance of a script?

5. how to only allow calls to perl or cgi script from certain page

6. setuid *within* Perl script

7. Problem: setuid script calling program that forks (I think :)

8. setuid perl script questions

9. Problem with setuid scripts.

10. Need help with setuid scripts which use usersub.o

11. Help with setuid scripts on SysV UNIX

12. setuid scripts and dynamically loaded libraries

 

 
Powered by phpBB® Forum Software