karrer@bernina.ethz.ch (Andreas Karrer) (05/17/91)
I followed Tom Christiansen's instructions on how to compile perl 4.003 with the ANSI standard Convex cc (no -pcc). Now I have a problem with setuid perl scripts. It seems that under ConvexOS 9.0 Convex has "fixed" the security problem inherent in set[ug]id #!-scripts. From the chmod(2) man page: ... Additionally, shell scripts which have either the set-user-ID bit or set-group- ID bit set will not execute if the caller's user/group-ID does not match that of the script. In other words, when you try to run a set[ug]id script, you just get: "./script: Not owner." and suidperl has no chance of ever getting invoked. What they should have done is that the kernel just ignores the set[ug]id bits before it execve's the script. These C-wrappers jus' tain' telegant. +----------- Andi Karrer, Communication Systems, ETH Zuerich, Switzerland karrer@bernina.ethz.ch - terible simplifieur
tchrist@convex.COM (Tom Christiansen) (05/18/91)
From the keyboard of karrer@bernina.ethz.ch (Andreas Karrer): :I followed Tom Christiansen's instructions on how to compile perl 4.003 :with the ANSI standard Convex cc (no -pcc). : :Now I have a problem with setuid perl scripts. It seems that under :ConvexOS 9.0 Convex has "fixed" the security problem inherent in :set[ug]id #!-scripts. From the chmod(2) man page: : : ... Additionally, shell : scripts which have either the set-user-ID bit or set-group- : ID bit set will not execute if the caller's user/group-ID : does not match that of the script. : :In other words, when you try to run a set[ug]id script, you just get: : : "./script: Not owner." : :and suidperl has no chance of ever getting invoked. : :What they should have done is that the kernel just ignores the :set[ug]id bits before it execve's the script. Tell me about it! If you're a customer of ours (as it appears you are) I urge you to submit a bug report (contact report) about this. I need more ammo. :-) A bizarre work-around is that while you can't execute "script" directly, saying "perl script" makes all the right things happen. You can put script in .script.real, and make script say "exec perl .$0.real $@" or some such. --tom -- Tom Christiansen tchrist@convex.com convex!tchrist "So much mail, so little time."