rob@cvedc.uucp (Rob Robertson) (10/24/90)
I hate to be ignorant but I am. I have a need to run suid to change symbolic links in a file system to "create" the proper filesystem for testers and developers so that can select and run "development" software, "beta" software or "released" software. My understanding is that if you compile a C program, make the C program suid owned by root, that should do the trick. Well I did that with both the sun4 OS4.0.3 and sun3 OS4.0.1 systems and found that the sparc program works but the motorola code. The complaint I get is: Insecure PATH at ./sog line 3. sog is the name of the perl script I am calling using the system call in the c program. If I am doing somthing wrong, or if there is another way to do what I am after please let me know. rob@cvedc.prime.COM
lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) (10/24/90)
In article <1990Oct23.173005.470@cvedc.uucp> rob@cvedc.UUCP () writes:
: I hate to be ignorant but I am. I have a need to run suid to change
: symbolic links in a file system to "create" the proper filesystem
: for testers and developers so that can select and run "development"
: software, "beta" software or "released" software. My understanding
: is that if you compile a C program, make the C program suid owned
: by root, that should do the trick. Well I did that with both the
: sun4 OS4.0.3 and sun3 OS4.0.1 systems and found that the sparc program
: works but the motorola code. The complaint I get is:
:
: Insecure PATH at ./sog line 3.
:
: sog is the name of the perl script I am calling using the system call
: in the c program. If I am doing somthing wrong, or if there is another
: way to do what I am after please let me know.
Just set $ENV{'PATH'} explicitly, so that you aren't relying on the PATH
the user supplied, which might let them run programs you didn't anticipate.
Larry
pvo@sapphire.OCE.ORST.EDU (Paul O'Neill) (10/26/90)
In article <10082@jpl-devvax.JPL.NASA.GOV> lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) writes: > >Just set $ENV{'PATH'} explicitly, so that you aren't relying on the PATH >the user supplied, which might let them run programs you didn't anticipate. > Here's the standard stuff I use to shut up taintperl: $ENV{'PATH'} = '/bin:/usr/bin:/usr/ucb/bin:/usr/etc'; #security stuff $path = $ENV{'PATH'}; #security stuff $ENV{'SHELL'} = '/bin/sh' if $ENV{'SHELL'} ne ''; #security stuff $ENV{'IFS'} = '' if $ENV{'IFS'} ne ''; #security stuff Paul O'Neill pvo@oce.orst.edu DoD 000006 Coastal Imaging Lab OSU--Oceanography Corvallis, OR 97331 503-737-3251