mmuegel@camdev.comm.mot.com (Michael S. Muegel) (03/05/91)
Probably yet another rookie question from a new Perl user, but here goes. I was trying to use suidscript from Ch6 of the book to make a C wrapper so a script of mine can run suid root without using suidperl. Here is what I did: + the script has #!/usr/local/bin/perl + changed the mode so that it is setuid root (had to do this to get suidscript to do anything) + ran suidscript with the full pathname of the Perl script When I run the wrapper I get this: Can't run setuid script with taint checks. Can anyone explain this? Basically I DO NOT want to use taintperl so I thought that by using a C wrapper I could get around this. Thanks, -Mike -- +-----------------------------------------------------------------------------+ | Mike Muegel | Internet: mmuegel@mot.com | | Software Tools Group | UUCP: uunet!motcid!muegel | | Fort Worth Research & Development Center | Voice: (817) 232-6129 | | Cellular Infrastructure Group | Fax: (817) 232-6081 | | Radio Telephone and Systems Group | Mail: 5555 North Beach St. | | Motorola, Inc. | Fort Worth, TX 76137 | +-----------------------------------------------------------------------------+
lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) (03/06/91)
In article <395@camdev.comm.mot.com?> mmuegel@mot.com (Michael S. Muegel) writes:
: Probably yet another rookie question from a new Perl user, but here goes. I
: was trying to use suidscript from Ch6 of the book to make a C wrapper so
: a script of mine can run suid root without using suidperl.
:
: Here is what I did:
:
: + the script has #!/usr/local/bin/perl
: + changed the mode so that it is setuid root (had to do this to get
: suidscript to do anything)
: + ran suidscript with the full pathname of the Perl script
That's the way.
: When I run the wrapper I get this:
:
: Can't run setuid script with taint checks.
:
: Can anyone explain this? Basically I DO NOT want to use taintperl so
: I thought that by using a C wrapper I could get around this.
You DO SO want to use taintperl. ESPECIALLY on a script running setuid root.
The error message indicates that ordinary perl couldn't exec taintperl for
some reason, such as non-existence. You need to make sure taintperl is
installed correctly.
Not using taintperl on setuid scripts is silly, considering that taintperl
rarely gets in your way except when it's saving your bacon. When taintperl
tells you there's an insecure dependency, you'd better take it seriously.
Larry
mmuegel@camdev.comm.mot.com (Michael S. Muegel) (03/08/91)
In article <11684@jpl-devvax.JPL.NASA.GOV> lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) writes: >In article <395@camdev.comm.mot.com?> mmuegel@mot.com (Michael S. Muegel) writes: >: Can anyone explain this? Basically I DO NOT want to use taintperl so >: I thought that by using a C wrapper I could get around this. > >You DO SO want to use taintperl. ESPECIALLY on a script running setuid root. > >Not using taintperl on setuid scripts is silly, considering that taintperl >rarely gets in your way except when it's saving your bacon. When taintperl >tells you there's an insecure dependency, you'd better take it seriously. You are surely right! The reason I wanted to bypass taintperl was that I did not know how to untaint data. You see, I had done a zillion checks on user input (I am writing a script that is totally interactve) and I felt taintperl was getting in my way. After reading p. 254, "Untainting a Variable," I was finally clued in on how the taint check process works. Now that I copy my user input to a NEW variable AFTER checking it all is peachy :-). -Mike -- +-----------------------------------------------------------------------------+ | Mike Muegel | Internet: mmuegel@mot.com | | Software Tools Group | UUCP: uunet!motcid!muegel | | Fort Worth Research & Development Center | Voice: (817) 232-6129 | | Cellular Infrastructure Group | Fax: (817) 232-6081 | | Radio Telephone and Systems Group | Mail: 5555 North Beach St. | | Motorola, Inc. | Fort Worth, TX 76137 | +-----------------------------------------------------------------------------+