Can't do setuid and file permision denied errors

[Chris]

I hope this is the right news group to post my questions,

I'm a newbie with perl scripts and I'm having
problem running my copied script to my server. Can anybody who is
patient enough to help me with my problem?
I have a chpass.pl which is being executed by a change password web
utility page. This script tries to update a password on my linux
server /etc/shadow with a file permision rw------. my chpass.pl was
set to -rwsr-sr-x ,
with this file permission, I'm getting an error: Can't do setuid,
referer: http://.......
When I set the file permision of the chpass.pl to -rwsr-xr-x , I get
the error: file permision denied by the file /etc/shadow..
When I chmod 777 the /etc/shadow then everything works but I'm sure
its not safe to do that.. I cannot figure out how could I make this
work with the original file permission of the files shadow and
chpass.pl unchanged for I knew this was been working before with
another machine with almost a copycat of my server.

PLS..

Thanks...

 

[Ben Morrow]

I have a chpass.pl which is being executed by a change password web
utility page. This script tries to update a password on my linux
server /etc/shadow with a file permision rw------. my chpass.pl was
set to -rwsr-sr-x ,
with this file permission, I'm getting an error: Can't do setuid,
referer: http://.......
When I set the file permision of the chpass.pl to -rwsr-xr-x , I get
the error: file permision denied by the file /etc/shadow..
When I chmod 777 the /etc/shadow then everything works but I'm sure
its not safe to do that.. I cannot figure out how could I make this
work with the original file permission of the files shadow and
chpass.pl unchanged for I knew this was been working before with
another machine with almost a copycat of my server.

This is a problem with the setup of your web server; I would guess
that your new machine has a newer version of Apache than the old?

The correct place to ask this is in a group appropriate to your
server; I think if your server is indeed Apache the right answer
involves using suEXEC, but don't take my word for it.

Are you *VERY* sure you *NEED* to do this? You are risking making it
completely trivial for someone to crack your machine. You must have
appropriate safeguards on who can access this web page. Your instinct
that more than 0600 on /etc/shadow is unsafe is sound; but having this
script be runnable by anyone is far more of a security risk. From the
level of your questions, I would (respectfully) suggest you do not
know enough to make this work safely.

Ben

 

[Steve Grazzini]

I'm a newbie with perl scripts and I'm having
problem running my copied script to my server. Can anybody who is
patient enough to help me with my problem?

This isn't really the right place for this type of question. If
you're having problems installing a script somebody else wrote, you
could ask the author. Or you could ask about setuid scripts in a
newsgroup dedicated to your OS or webserver.

my chpass.pl was
set to -rwsr-sr-x ,
with this file permission, I'm getting an error: Can't do setuid,
referer: http://.......

Perl's error and warning messages are documented in the "perldiag"
manpage.

Can't do setuid
(F) This typically means that ordinary perl tried to exec
suidperl to do setuid emulation, but couldn't exec it. It
looks for a name of the form sperl5.000 in the same directory
that the perl executable resides under the name perl5.000,
typically /usr/local/bin on Unix machines. If the file is
there, check the execute permissions. If it isn't, ask your
sysadmin why he and/or she removed it.

This is kind of cryptic, but there's more info on setuid scripts and
suidperl in the "perlsec" manpage. It's still possible to configure
Perl to do setuid emulation, but this feature has been deprecated,
and will probably be removed in 5.10.

 

[Tad McClellan]

I'm a newbie with perl scripts

No problem. Everybody has to start somewhere.

I'm having
problem running my copied script to my server.

What server?

Most uses of Perl do not require a server at all, so the least
you could do was tell us what _kind_ of server you are
dealing with: SMTP, NNTP, FTP, HTTP...

I have a chpass.pl which is being executed by a change password web
utility page.

Oh. Must be question about using Perl in the CGI environment then?

Have you already seen what the Perl FAQ has to say about CGI programming?

perldoc -q CGI



The easiest programming is single user on the command line.

CGI programming is a bit more advanced, as it adds issues of
multitasking, security and sometimes performance, that would
not normally need to be considered.

Changing passwords is yet more advanced, but in the area of
Operating Systems, rather than Perl.

Changing passwords through a CGI interface scares me to death!

And that is what you want to take on as your very first
Perl program?

Gulp.


1) Learn Perl before learning a new application area, such as CGI.

2) _Why_ do you think you want this?

It is *profoundly* dangerous you know...

 

[Chris]

Chris ([email protected]) wrote on MMMDCCXI September MCMXCIII in
<URL:\\
\\ I'm a newbie with perl scripts
\\
\\ I have a chpass.pl which is being executed by a change password web
\\ utility page.

And what makes you think this is a good idea? Would you let your
kids drive in NASCAR races right after they learned how to use
how to steer?

Well, i'm still a starter, at least I know now..

Changing passwords via a web interface is a dumb thing to do.
Changing the passwords by directly opening /etc/shadow is dangerous.
Doing that with a program written in a language you just started
to use sounds like a bloody stupid idea to me.

When the pasword changer works, I supposed to make security access on
the web page..it should be only accessed by authorized user.. I still
dont know how but I'll figure it out..

 

[Chris]

No problem. Everybody has to start somewhere.




What server?

Most uses of Perl do not require a server at all, so the least
you could do was tell us what _kind_ of server you are
dealing with: SMTP, NNTP, FTP, HTTP...

yeah, this is supposed to be dial-up authentication server..

Oh. Must be question about using Perl in the CGI environment then?

Have you already seen what the Perl FAQ has to say about CGI programming?

perldoc -q CGI



The easiest programming is single user on the command line.

CGI programming is a bit more advanced, as it adds issues of
multitasking, security and sometimes performance, that would
not normally need to be considered.

Changing passwords is yet more advanced, but in the area of
Operating Systems, rather than Perl.

Changing passwords through a CGI interface scares me to death!

And that is what you want to take on as your very first
Perl program?

Gulp.


1) Learn Perl before learning a new application area, such as CGI.

2) _Why_ do you think you want this?

This is what they suggest me so I just need to make it work..

It is *profoundly* dangerous you know...

Heah, I agree... I Was thinking of making security on the page..
When the pasword changer works, I supposed to make security access on
the web page..it should be only accessed by authorized user.. I still
dont know how but I'll figure it out..

 

[Ben Morrow]

(e-mail address removed) (Tad McClellan) wrote in message


yeah, this is supposed to be dial-up authentication server..

You seem to under a common misapprehension of the meaning of 'server':
at least in this group, a server is a program, not a machine. In this
case, the particular server (among the many running on the machine
concerned) which perl will be talking to is an HTTP or web server.

This is what they suggest me so I just need to make it work..

My honest suggestion is that you go back to whomever asked you to do
this and say that you do not think you are competent to write such a
security-critical application yet. The chance are they don't realise
either how important it is to get it right or how many subtle but
fatal mistakes it's only too easy to make.

Heah, I agree... I Was thinking of making security on the page..
When the pasword changer works, I supposed to make security access on
the web page..it should be only accessed by authorized user.. I still
dont know how but I'll figure it out..

You *MUST* make sure only authorized users can access the page before
you make it possible to change the password with it. Test the script
on a different machine, which is either not connected to the network
or is behind a girt big firewall.

Ben