Bug#2691: new perl break suid scripts

To: Michael Alan Dorman <mdorman@lot49.med.miami.edu>
Cc: debian-bugs@pixar.com, Dirk.Eddelbuettel@qed.econ.queensu.ca
Subject: Bug#2691: new perl break suid scripts
From: "Manoj Srivastava <"<srivasta@pilgrim.umass.edu>
Date: 15 Apr 1996 17:10:43 -0400
Message-id: <[🔎] gvxvij1p50s.fsf@diamond.pilgrim.umass.edu>
Reply-to: "Manoj Srivastava <"<srivasta@pilgrim.umass.edu>, debian-bugs@pixar.com
In-reply-to: Michael Alan Dorman's message of 15 Apr 1996 08:46:18 -0400
References: <[🔎] m0u8nfg-00027kC@lot49.med.miami.edu>

Hi,
>>"Michael" == Michael Alan Dorman <mdorman@lot49.med.miami.edu> writes:

Michael> In message <[🔎] m0u8mgt-00016bC@miles.econ.queensu.ca>,
Michael> Dirk.Eddelbuettel@qed.econ.queensu.ca writes:
Dirk> Apparently, there no longer is a suidperl in the perl package.

Michael> I thought suidperl was being gotten rid of for some
Michael> reason--- [deleted for brevity]

	Not so: (excerpt from the from the latest perlsec manpage
 follows).  However, building suidperl is an option, and apparently
 the package maintainer has not choosen to implement this (allowing
 suidperl is inherently less secure than otherwise -- though I'm
 personally rather sure that suidperl does the right stuff, I could
 not offer a guarantee [I know, I know, nothing can].  People can't
 exploit any bugs, current or future -- in suidperl if it doesn't
 exist on your system).

	Having said that, I feel that we should allow the generation
 of suidperl in the config section, and maybe (_maybe_!)) allow for
 it's removal in postinst if people think it makes the system
 insecure.

	manoj

Perlsec> Perl is designed to make it easy to write secure setuid and
Perlsec> setgid scripts.  Unlike shells, which are based on multiple
Perlsec> substitution passes on each line of the script, Perl uses a
Perlsec> more conventional evaluation scheme with fewer hidden
Perlsec> "gotchas".  Additionally, since the language has more
Perlsec> built-in functionality, it has to rely less upon external
Perlsec> (and possibly untrustworthy) programs to accomplish its
Perlsec> purposes.

Perlsec> Beyond the obvious problems that stem from giving special
Perlsec> privileges to such flexible systems as scripts, on many
Perlsec> operating systems, setuid scripts are inherently insecure
Perlsec> right from the start.  This is because that between the time
Perlsec> that the kernel opens up the file to see what to run, and
Perlsec> when the now setuid interpreter it ran turns around and
Perlsec> reopens the file so it can interpret it, things may have
Perlsec> changed, especially if you have symbolic links on your
Perlsec> system.

Perlsec> Fortunately, sometimes this kernel "feature" can be disabled.
Perlsec> Unfortunately, there are two ways to disable it.  The system
Perlsec> can simply outlaw scripts with the setuid bit set, which
Perlsec> doesn't help much.  Alternately, it can simply ignore the
Perlsec> setuid bit on scripts.  If the latter is true, Perl can
Perlsec> emulate the setuid and setgid mechanism when it notices the
Perlsec> otherwise useless setuid/gid bits on Perl scripts.  It does
Perlsec> this via a special executable called suidperl that is
Perlsec> automatically invoked for you if it's needed.


--
If a man does not make new acquaintances, as he advances through life,
he soon will find himself alone.  A man should keep his friendship in
constant repair.  -- Johnson %%
Manoj Srivastava               Systems Research Programmer, Project Pilgrim,
Phone: (413) 545-3918                A143B Lederle Graduate Research Center,
Fax:   (413) 545-1249         University of Massachusetts, Amherst, MA 01003
<srivasta@pilgrim.umass.edu> <URL:http://www.pilgrim.umass.edu/%7Esrivasta/>

Reply to:

References:
- Bug#2691: new perl break suid scripts
  - From: Michael Alan Dorman <mdorman@lot49.med.miami.edu>

Prev by Date: Bug#2601:
Next by Date: Bug#2696: dpkg-disappear-replace.txt method doesn't work
Previous by thread: Bug#2691: new perl break suid scripts
Next by thread: findutils-4.1-9 update, fixes updatedb
Index(es):
- Date
- Thread