You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by tanmaya Anand <ta...@techie.com> on 2003/05/09 13:11:54 UTC

[users@httpd] setuid script problem

hi all,

i have created the follwing perl script:

#!/usr/bin/perl -w

system "/usr/local/apache2/cgi-bin/public_html/changenameserver.pl";
print "content-type:text/html \n\n";
print "done";

following is the changenameserver.pl script:

#!/usr/bin/perl

$ENV{'PATH'}="/bin:/usr/bin";
$ENV{'IFS'}=''if $ENV{'IFS'} ne '';

system "service network restart";
exit(1);

i have set "u+x" & "u+s" permissions for the script changenameserver.pl. but still the command "service network restart" is not getting executed when i access this script via web browser.

Following error message i printed to apache error log:
"user cannot control this device"

both the above scripts are owned by user root

can anyone help me in this????


Regards,
Tanmaya
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] setuid script problem

Posted by Chris Meadors <cl...@hereintown.net>.

tempo wrote:
> SUID (+s) bit can only work on a binary file, but not on scripts.
> You can change your perl CGI for a compiled one (do the same work in c) 
> , or (perhaps better) use a 'su - root' command into your perl code 
> (you'll have to store root password into the script...). Other ideas ?

Perl can be configured to detect the +s on scripts and run suidperl.

-- 
Chris


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] setuid script problem

Posted by Wil Hatfield - HVHM Customer Care <wi...@hvhm.net>.

> You are confused. The "sticky" bit is set with a 1 in the first octal
> digit. E.g. chmod 1755 would set the sticky bit. A 2 would be the setgid
> bit and a 4 is the setuid bit. (And, of course, you can combine them.)

My bust.... a terminology thing. Setuid bit then... not sticky.

> In an effort to avoid inherent security problems with setuid scripts,
> many systems no longer allow the setuid (or setgid) bit to work with
> non-binary executables.

You scared me. I thought they were going to do away with suidperl and its
capabilities.

Wil


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] setuid script problem

Posted by Jeremy Madea <J....@mdl.com>.

Wil Hatfield - HVHM Customer Care wrote:

> SUID (+s) .... are you talking about 4755 aka adding the sticky bit?  

You are confused. The "sticky" bit is set with a 1 in the first octal 
digit. E.g. chmod 1755 would set the sticky bit. A 2 would be the setgid 
bit and a 4 is the setuid bit. (And, of course, you can combine them.)

The sticky bit is generally used on directories. A file created in a 
directory with the sticky bit set can only be moved or deleted by the 
owner (or root.) The sticky bit on files results in system defined 
behavior. It used indicate that the binary should not be removed from 
swap, a useful hint for some oft used executables.

The setuid bit only really makes sense on executable files. When an 
executable is setuid, the binary takes on the UID of the file's owner 
when it is executed. The setgid bit on an executable file is similar but 
results in the executable being run with the GID of the file's group. 
The setgid bit often has some additional system dependent special 
semantics when used on directories or files that aren't executable by 
their group.

 > If so,since when does it only work on binary files? Is that
 > some recent change at OS level.  Which OS?

In an effort to avoid inherent security problems with setuid scripts, 
many systems no longer allow the setuid (or setgid) bit to work with 
non-binary executables.

-j

--
Jeremy Madea
"My two cents aren't worth a dime.";

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] setuid script problem

Posted by Wil Hatfield - HVHM Customer Care <wi...@hvhm.net>.

SUID (+s) .... are you talking about 4755 aka adding the sticky bit?  If so,
since when does it only work on binary files? Is that some recent change at
OS level.  Which OS?

Wil

> -----Original Message-----
> From: tempo [mailto:tempo@tempo.dyndns.org]
> Sent: Friday, May 09, 2003 10:18 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] setuid script problem
>
>
> >
> >
> >i have set "u+x" & "u+s" permissions for the script
> changenameserver.pl. but still the command "service network
> restart" is not getting executed when i access this script via
> web browser.
> >
> >
> >
>
> SUID (+s) bit can only work on a binary file, but not on scripts.
> You can change your perl CGI for a compiled one (do the same work in c)
> , or (perhaps better) use a 'su - root' command into your perl code
> (you'll have to store root password into the script...). Other ideas ?
>
> Frederic TEMPORELLI
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] setuid script problem

Posted by tempo <te...@tempo.dyndns.org>.

>
>
>i have set "u+x" & "u+s" permissions for the script changenameserver.pl. but still the command "service network restart" is not getting executed when i access this script via web browser.
>
>  
>

SUID (+s) bit can only work on a binary file, but not on scripts.
You can change your perl CGI for a compiled one (do the same work in c) 
, or (perhaps better) use a 'su - root' command into your perl code 
(you'll have to store root password into the script...). Other ideas ?

Frederic TEMPORELLI



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org