[comp.lang.perl] suid perl

rob@cvedc.uucp (Rob Robertson) (10/24/90)

I hate to be ignorant but I am.  I have a need to run suid to change
symbolic links in a file system to "create" the proper filesystem
for testers and developers so that can select and run "development"
software, "beta" software or "released" software.  My understanding
is that if you compile a C program, make the C program suid owned
by root, that should do the trick.  Well I did that with both the
sun4 OS4.0.3 and sun3 OS4.0.1 systems and found that the sparc program
works but the motorola code.  The complaint I get is:

Insecure PATH at ./sog line 3.

sog is the name of the perl script I am calling using the system call
in the c program.  If I am doing somthing wrong, or if there is another
way to do what I am after please let me know.

rob@cvedc.prime.COM

lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) (10/24/90)

In article <1990Oct23.173005.470@cvedc.uucp> rob@cvedc.UUCP () writes:
: I hate to be ignorant but I am.  I have a need to run suid to change
: symbolic links in a file system to "create" the proper filesystem
: for testers and developers so that can select and run "development"
: software, "beta" software or "released" software.  My understanding
: is that if you compile a C program, make the C program suid owned
: by root, that should do the trick.  Well I did that with both the
: sun4 OS4.0.3 and sun3 OS4.0.1 systems and found that the sparc program
: works but the motorola code.  The complaint I get is:
: 
: Insecure PATH at ./sog line 3.
: 
: sog is the name of the perl script I am calling using the system call
: in the c program.  If I am doing somthing wrong, or if there is another
: way to do what I am after please let me know.

Just set $ENV{'PATH'} explicitly, so that you aren't relying on the PATH
the user supplied, which might let them run programs you didn't anticipate.

Larry

pvo@sapphire.OCE.ORST.EDU (Paul O'Neill) (10/26/90)

In article <10082@jpl-devvax.JPL.NASA.GOV> lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) writes:
>
>Just set $ENV{'PATH'} explicitly, so that you aren't relying on the PATH
>the user supplied, which might let them run programs you didn't anticipate.
>

Here's the standard stuff I use to shut up taintperl:

$ENV{'PATH'} = '/bin:/usr/bin:/usr/ucb/bin:/usr/etc';   #security stuff
$path = $ENV{'PATH'};                                   #security stuff
$ENV{'SHELL'} = '/bin/sh' if $ENV{'SHELL'} ne '';       #security stuff
$ENV{'IFS'} = '' if $ENV{'IFS'} ne '';                  #security stuff


Paul O'Neill                 pvo@oce.orst.edu		DoD 000006
Coastal Imaging Lab
OSU--Oceanography
Corvallis, OR  97331         503-737-3251