Setuid problems with perl 5.8.4?

[Roy Smith]

I've got a perl script that runs setuid root. It used to run just fine
under perl 5.00503 (on RedHat 6.1 linux).

I recently upgraded to perl 5.8.4 and now it's behaving as if it were
not setuid. It doesn't print any errors, but acts as if it were not
setuid. Has anything changed between those two versions which might
affect setuid behavior?

 

[David Efflandt]

I've got a perl script that runs setuid root. It used to run just fine
under perl 5.00503 (on RedHat 6.1 linux).

I recently upgraded to perl 5.8.4 and now it's behaving as if it were
not setuid. It doesn't print any errors, but acts as if it were not
setuid. Has anything changed between those two versions which might
affect setuid behavior?

Due to security concerns, suidperl for recent Perl versions is not suid by
default, but you could likely make it so if you understand the risks (and
perldoc perlsec). Or you could use an suid binary (like C) wrapper to run
that particular script.

Of course running anything suid will not run directly under apache suexec,
due to its safeguards (but could work indirectly).

 

[Ben Morrow]

Quoth (e-mail address removed) (David Efflandt):

Due to security concerns, suidperl for recent Perl versions is not suid by
default, but you could likely make it so if you understand the risks (and
perldoc perlsec). Or you could use an suid binary (like C) wrapper to run
that particular script.

Of course running anything suid will not run directly under apache suexec,
due to its safeguards (but could work indirectly).

Surely under modern systems with safe setid scripts (i.e. with /dev/fd)
suidperl doesn't come into it any more?

$ su
# cat > suid
#!/usr/bin/perl

print $<, ',', $>, "\n";
^D
# chmod 4755 suid
# ^D
$ ./suid
1000,0
$

OTOH, if your script *does* use suidperl, then you can simply change it
to using ordinary perl instead. As I understand (but I am certainly no
expert) this is safer than having a setid suidperl executable.

Ben