[H-GEN] Setting a Perl script suid

Stephen Thorne stephen at mu.com.au
Thu Sep 11 00:10:23 EDT 2003 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

[ There was was a chap named Stephen    | The Humbug lists accept posts only   ]
[ Who appeared to be a bit of a heathen | from subscribed addresses.  If you   ]
[ For he didn't know                    | do not post from your subscribed     ]
[ So did it twice in a row              | address, your message may not be     ]
[ Used the wrong address on his mailing | forwarded onwards.  --ListGrouch     ]

On Wed, 10 Sep 2003 16:55, Paul Cornford wrote:
> Because after hours of unrewarded effort I can't seem to access the Perl
> modules I need without it. Yes I've tried adding to @INC, and I've tried
> 'use lib ...' but these haven't worked. However, I did manage to run the
> script on my own machine at home successfully SUID, and since the script
> is for internal use only it seems the only way to go. Clearly my
> understanding of permissions is lacking but the time factor has beaten
> me for further study.

Its my understanding that you cannot set a script (i.e. something you execute
that starts with #!/path/to/bin/file) suid. I'm not sure about the perl
specifics, but here are two tips that apply to scripting languages.

1) Wrapping the script in a suid C program[0] you've written for the purpose.

2) If you're using apache, have a look at 'suexec'[1], which is something for
apache to execute certain CGI scripts as a particular user

Regards,
Stephen Thorne

[0]
# This assumes you're not interested in passing through arguments or STDIN.
# Making this useful is left as an exercise for the reader.
cat > runmyscript.c <<EOF
int main (int argc, char*argv)
{
	system("/path/to/my/script.sh");
	return 0;
}
EOF
gcc -o runmyscript runmyscript.c
chmod u+s runmyscript

[1] http://httpd.apache.org/docs-2.0/mod/mod_suexec.html


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list