how to change the effective UID

Discussion in 'Perl Misc' started by Daneel Yaitskov, Jul 20, 2008.

  1. Hi,


    I can't change the EUID of a perl process which performs a perl script.
    I used the manual perlsec and wrote the script:

    #!/usr/bin/perl
    use English;

    $EUID = 0;
    open(THEFILE, ">/var/log/messages") || die "can't open file";
    print "The file was opened\n";
    #end of the script

    The script file has the rights:
    $chown root:root test.pl
    $chmod a+xs test.pl
    The script gives the error "can't open file"


    Daneel
    Daneel Yaitskov, Jul 20, 2008
    #1
    1. Advertising

  2. On Sun, 20 Jul 2008 19:07:29 +0400, Daneel Yaitskov wrote:

    > Hi,
    >
    >
    > I can't change the EUID of a perl process which performs a perl script.
    > I used the manual perlsec and wrote the script:
    >
    > #!/usr/bin/perl
    > use English;
    >
    > $EUID = 0;


    After setting $EUID, you should always check $! (also known as $ERRNO
    when using English) for errors. What does it say?

    > open(THEFILE, ">/var/log/messages") || die "can't open file"; print "The
    > file was opened\n";


    Here again, you should always include $! in the error string. It will
    tell you why it couldn open the file.

    Regards,

    Leon Timmermans
    Leon Timmermans, Jul 20, 2008
    #2
    1. Advertising

  3. Leon Timmermans wrote:
    > On Sun, 20 Jul 2008 19:07:29 +0400, Daneel Yaitskov wrote:
    >
    >> Hi,
    >>
    >>
    >> I can't change the EUID of a perl process which performs a perl script.
    >> I used the manual perlsec and wrote the script:
    >>
    >> #!/usr/bin/perl
    >> use English;
    >>
    >> $EUID = 0;

    >
    > After setting $EUID, you should always check $! (also known as $ERRNO
    > when using English) for errors. What does it say?
    >
    >> open(THEFILE, ">/var/log/messages") || die "can't open file"; print "The
    >> file was opened\n";

    >
    > Here again, you should always include $! in the error string. It will
    > tell you why it couldn open the file.
    >
    > Regards,
    >
    > Leon Timmermans


    I have inserted the line "print "Result: $!\n";" after the line "$EUID =
    0;". Trace command has printed "Operation not permitted".

    What is CLPM?
    Daneel Yaitskov, Jul 20, 2008
    #3
  4. Leon Timmermans wrote:
    > In that case the problem seems to be that you're not running as root.

    Ho! The suid flag exists that a process with the normal rights could
    take the super rights.

    In short, I have taken luck. The perl printed the notice, suid isn't
    supported, to me when I had seted the suid to $(which perl). It offered
    the following variants:

    1) to use a wrap in C
    2) to start the perl with the -u option (dump) and then to generate the
    true program from the dump with help the undump program.


    Daneel
    Daneel Yaitskov, Jul 21, 2008
    #4
  5. Sherman Pendley wrote:
    > Many operating systems don't allow setuid scripts for security
    > reasons. Have you tried checking the value of $< to see if you're
    > *really* running as root? Have you tried running your script with sudo
    > or su, to see if it behaves correctly that way?
    >
    > sherm--
    >


    The script works good with the super rights. I found a solve of the
    problem. See my answer to Leon Timmermans above.

    Daneel
    Daneel Yaitskov, Jul 21, 2008
    #5
  6. Daneel Yaitskov

    Ben Morrow Guest

    Quoth Daneel Yaitskov <>:
    > Leon Timmermans wrote:
    > > In that case the problem seems to be that you're not running as root.

    > Ho! The suid flag exists that a process with the normal rights could
    > take the super rights.
    >
    > In short, I have taken luck. The perl printed the notice, suid isn't
    > supported, to me when I had seted the suid to $(which perl). It offered
    > the following variants:


    Yow! *DON'T* make /usr/bin/perl set-uid. That would be a major security
    problem.

    Are you sure you ought to be writing programs which run setid? I think
    you should learn a little more about writing secure systems before you
    start randomly making things setuid root.

    > 1) to use a wrap in C
    > 2) to start the perl with the -u option (dump) and then to generate the
    > true program from the dump with help the undump program.


    If your system doesn't support setid scripts (because of a long-standing
    kernel security hole), you can use suidperl to emulate them. But, again,
    you *really* need to better understand the security implications of what
    you are doing before you try this.

    Ben

    --
    The Earth is degenerating these days. Bribery and corruption abound.
    Children no longer mind their parents, every man wants to write a book,
    and it is evident that the end of the world is fast approaching.
    Assyrian stone tablet, c.2800 BC
    Ben Morrow, Jul 21, 2008
    #6
  7. Daneel Yaitskov <> writes:

    > I can't change the EUID of a perl process which performs a perl script.
    > I used the manual perlsec and wrote the script:
    >
    > #!/usr/bin/perl
    > use English;
    >
    > $EUID = 0;
    > open(THEFILE, ">/var/log/messages") || die "can't open file";


    Eek

    Why do you want to clobber logs not related to your program ?

    Why don't you use logger (or the Perl module equivalent) to send logs?


    --
    Dominique Dumont
    "Delivering successful solutions requires giving people what they
    need, not what they want." Kurt Bittner
    Dominique Dumont, Jul 30, 2008
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Engler
    Replies:
    0
    Views:
    1,283
    Tim Engler
    Jan 20, 2004
  2. Markus Kemp
    Replies:
    8
    Views:
    442
    Peter Hansen
    Nov 18, 2004
  3. Daneel Yaitskov
    Replies:
    6
    Views:
    3,422
    J├╝rgen Exner
    Jul 20, 2008
  4. Tim Arnold

    remote server and effective uid

    Tim Arnold, Nov 15, 2010, in forum: Python
    Replies:
    4
    Views:
    228
    Tim Arnold
    Nov 16, 2010
  5. James Gray

    Super User Can't Change UID?

    James Gray, Jan 27, 2009, in forum: Ruby
    Replies:
    13
    Views:
    306
    James Gray
    Jan 28, 2009
Loading...

Share This Page