Re: suid-perl

To: Jules Bean <jmlb2@hermes.cam.ac.uk>
Cc: Chip Salzenberg <chip@perlsupport.com>, debian-devel@lists.debian.org
Subject: Re: suid-perl
From: "Darren/Torin/Who Ever..." <torin@daft.com>
Date: 03 Feb 1999 01:27:24 -0800
Message-id: <[🔎] 87pv7rrg5f.fsf@perv.daft.com>
In-reply-to: Jules Bean's message of "Sun, 31 Jan 1999 22:45:07 +0000 (GMT)"
References: <Pine.SOL.3.95q.990131224323.3831B-100000@red.csi.cam.ac.uk>

-----BEGIN PGP SIGNED MESSAGE-----

Jules Bean, in an immanent manifestation of deity, wrote:
>On Sun, 31 Jan 1999, Chip Salzenberg wrote:
>> The code exists to check the mount options relevant to an open file.
>> It's just a Small Matter of Programming to integrate that into the
>> Perl source code, and disable emultation of setuid scripts when the
>> 'nosuid' mount option is set.

Well, while it's not a perfect fix (IMHO, that'd be stripping the suid
bit in the system call), I've applied and tested Jarkko Hietaniemi's
patch for perl-5.004.04.  If you try to run a suidperl script on a
nosuid fs, you get 'permission denied'.  I've tested it on both slink
and potato systems.  Please try it yourselves.

>interpreted.  (Aside: Why hasn't linus patched the kernel so that suid
>scripts are secure?  It's an easy task, surely?)

I remember reading somewhere back in the 1.0 or .99 days that linus will 
never implement suid scripts because they cause too many other holes.
But note the age of the memory that would have to be and take it with
much salt.

>As it is, noexec is almost useless.
>
>I can't help thinking that *all* interpreters *should* check noexec
>status.

Actually, I find noexec more useful when I have multiple architectures
implemented.  I know that it's saved me a few times when I went to run
elf binaries compiled for Irix 5.3/6.5 on my linux box at work.  I found 
it rather handy...

Darren
- -- 
<torin@daft.com> <http://www.daft.com/~torin> <torin@debian.org> <torin@io.com>
Darren Stalder/2608 Second Ave, @282/Seattle, WA 98121-1212/USA/+1-800-921-4996
@ Sysadmin, webweaver, postmaster for hire. C/Perl/CGI/Pilot programmer/tutor @
@		     Make a little hot-tub in your soul.		      @

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
Comment: Processed by Mailcrypt 3.5.1, an Emacs/PGP interface

iQCVAwUBNrgUs44wrq++1Ls5AQH9DAP+O8/0/tI9G0jreIEVQNwXfbxh275XHISc
9XFIqxd80PPzfKIrU5a3uXBeWAKhPy8ljA1XxCQ3/myfqHkFFMdz8lI321qO517u
b7hNtv7IAYifvGXsBhqz0tuEQisKjrnNiZM52uKjq1XZddR4s3fNVKbpQ+9HYjmH
1lslfAb0TN8=
=Hq8C
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: suid-perl
  - From: Jules Bean <jmlb2@hermes.cam.ac.uk>

Prev by Date: Re: network configuration
Next by Date: ISDN AVM B1 hangups :-(
Previous by thread: Re: Slink CDs available
Next by thread: Re: suid-perl
Index(es):
- Date
- Thread