karrer@bernina.ethz.ch (Andreas Karrer) (05/17/91)
I followed Tom Christiansen's instructions on how to compile perl 4.003
with the ANSI standard Convex cc (no -pcc).
Now I have a problem with setuid perl scripts. It seems that under
ConvexOS 9.0 Convex has "fixed" the security problem inherent in
set[ug]id #!-scripts. From the chmod(2) man page:
... Additionally, shell
scripts which have either the set-user-ID bit or set-group-
ID bit set will not execute if the caller's user/group-ID
does not match that of the script.
In other words, when you try to run a set[ug]id script, you just get:
"./script: Not owner."
and suidperl has no chance of ever getting invoked.
What they should have done is that the kernel just ignores the
set[ug]id bits before it execve's the script.
These C-wrappers jus' tain' telegant.
+-----------
Andi Karrer, Communication Systems, ETH Zuerich, Switzerland
karrer@bernina.ethz.ch - terible simplifieurtchrist@convex.COM (Tom Christiansen) (05/18/91)
From the keyboard of karrer@bernina.ethz.ch (Andreas Karrer): :I followed Tom Christiansen's instructions on how to compile perl 4.003 :with the ANSI standard Convex cc (no -pcc). : :Now I have a problem with setuid perl scripts. It seems that under :ConvexOS 9.0 Convex has "fixed" the security problem inherent in :set[ug]id #!-scripts. From the chmod(2) man page: : : ... Additionally, shell : scripts which have either the set-user-ID bit or set-group- : ID bit set will not execute if the caller's user/group-ID : does not match that of the script. : :In other words, when you try to run a set[ug]id script, you just get: : : "./script: Not owner." : :and suidperl has no chance of ever getting invoked. : :What they should have done is that the kernel just ignores the :set[ug]id bits before it execve's the script. Tell me about it! If you're a customer of ours (as it appears you are) I urge you to submit a bug report (contact report) about this. I need more ammo. :-) A bizarre work-around is that while you can't execute "script" directly, saying "perl script" makes all the right things happen. You can put script in .script.real, and make script say "exec perl .$0.real $@" or some such. --tom -- Tom Christiansen tchrist@convex.com convex!tchrist "So much mail, so little time."