SetUID

Discussion in 'Perl Misc' started by maylcc, Jun 19, 2009.

  1. maylcc

    maylcc Guest

    I'm having problem running my copied script to my server. Can anybody
    who is
    patient enough to help me with my problem?

    I have a chpass.pl which is being executed by a change password web
    utility page. This script tries to update a password on my linux
    server /etc/shadow with a file permision rw------.

    my chpass.pl was set to -rwsr-sr-x , with this file permission, I'm
    getting an
    error: Can't do setuid, When I chmod 777 the /etc/shadow then
    everything
    works but I'm sure its not safe to do that.

    I cannot figure out how could I make this work with the original file
    permission
    of the files shadow and chpass.pl. Any help would be very much
    appreciated.
    Thanks
     
    maylcc, Jun 19, 2009
    #1
    1. Advertising

  2. maylcc <> wrote:
    > I'm having problem running my copied script to my server. Can anybody who is
    > patient enough to help me with my problem?


    > I have a chpass.pl which is being executed by a change password web
    > utility page. This script tries to update a password on my linux
    > server /etc/shadow with a file permision rw------.


    Mmmm, sounds like something with a lot of potential security
    risks. Why not let the user change his/her password when
    logged in the normal way? Not everything is suitable for
    being done via a web page...

    > my chpass.pl was set to -rwsr-sr-x , with this file permission, I'm
    > getting an error: Can't do setuid,


    Yes, that's a feature, not a bug. Setuid'ed sripts can be very
    dangerous for a number of reasons and thus Perl doesn't run
    them blindly. But you can get the script to run when you switch
    on taint mode for the script with the -T command line option
    (e.g. by having it in the first line of your script):

    #!/usr/bin/perl -T

    Of course, this will require that your script is written in a
    way that allows it to run in taint mode, e.g. all external
    input must be checked, the environment laundered etc. See

    perldoc perlsec

    for a longer description. But then Perl CGI scripts etc. should
    be run in taint mode anyway to help you avoid the most stupid
    security mistakes;-)

    > When I chmod 777 the /etc/shadow then everything
    > works but I'm sure its not safe to do that.


    It's definitely not safe! Never do that, /etc/shadow isn't meant
    to be seen by anything but programs that run with root permis-
    sions!
    Regards, Jens
    --
    \ Jens Thoms Toerring ___
    \__________________________ http://toerring.de
     
    Jens Thoms Toerring, Jun 19, 2009
    #2
    1. Advertising

  3. maylcc

    maylcc Guest

    On Jun 19, 6:45 pm, Ben Morrow <> wrote:
    > Quoth maylcc <>:
    >
    > > I'm having problem running my copied script to my server. Can anybody
    > > who is
    > > patient enough to help me with my problem?

    >
    > > I have a chpass.pl which is being executed by a change password web
    > > utility page. This script tries to update a password on my linux
    > > server /etc/shadow with a file permision rw------.

    >
    > > my chpass.pl was set to -rwsr-sr-x , with this file permission, I'm

    >
    > Why are you trying to run both setuid and setgid?
    >
    > > getting an
    > > error: Can't do setuid, When I chmod 777 the /etc/shadow then
    > > everything
    > > works but I'm sure its not safe to do that.

    >
    > Please don't take this the wrong way, but I *really* think you shouldn't
    > be trying to write this. You clearly don't know enough about Unix
    > security to have any chance of getting it right. For a start, you should
    > *never* be trying to run a CGI script as root.
    >
    > The error you are getting is because you are on a system which doesn't
    > have secure setid scripts (or where perl doesn't know you have them),
    > and you don't have suidperl installed. This is the case for an ordinary
    > perl install on BSD, for example. You should turn off the setid bits on
    > the script, as they are not going to do anything useful.
    >
    > If you insist on writing this, you need to find some way to change the
    > password without writing to /etc/shadow directly. Running passwd(1)
    > under sudo might be one way, assuming you can grant yourself the
    > appropriate sudo rights.
    >
    > Ben


    thanks for your reply. i am trying to implement a test password script
    which accepts user id and password and using these parameters to auth
    against the server (linux) /etc/passwd and shadow. any suggestion?
     
    maylcc, Jun 19, 2009
    #3
  4. maylcc

    maylcc Guest

    On Jun 19, 6:30 pm, (Jens Thoms Toerring) wrote:
    > maylcc <> wrote:
    > > I'm having problem running my copied script to my server. Can anybody who is
    > > patient enough to help me with my problem?
    > > I have a chpass.pl which is being executed by a change password web
    > > utility page. This script tries to update a password on my linux
    > > server /etc/shadow with a file permision rw------.

    >
    > Mmmm, sounds like something with a lot of potential security
    > risks. Why not let the user change his/her password when
    > logged in the normal way? Not everything is suitable for
    > being done via a web page...
    >
    > > my chpass.pl was set to -rwsr-sr-x , with this file permission, I'm
    > > getting an error: Can't do setuid,

    >
    > Yes, that's a feature, not a bug. Setuid'ed sripts can be very
    > dangerous for a number of reasons and thus Perl doesn't run
    > them blindly. But you can get the script to run when you switch
    > on taint mode for the script with the -T command line option
    > (e.g. by having it in the first line of your script):
    >
    > #!/usr/bin/perl -T
    >
    > Of course, this will require that your script is written in a
    > way that allows it to run in taint mode, e.g. all external
    > input must be checked, the environment laundered etc. See
    >
    > perldoc perlsec
    >
    > for a longer description. But then Perl CGI scripts etc. should
    > be run in taint mode anyway to help you avoid the most stupid
    > security mistakes;-)
    >
    > > When I chmod 777 the /etc/shadow then everything
    > > works but I'm sure its not safe to do that.

    >
    > It's definitely not safe! Never do that, /etc/shadow isn't meant
    > to be seen by anything but programs that run with root permis-
    > sions!
    >                               Regards, Jens
    > --
    >   \   Jens Thoms Toerring  ___      
    >    \__________________________      http://toerring.de


    thanks for your reply. i am trying to implement a test password script
    which accepts user id and password and using these parameters to auth
    against the server (linux) /etc/passwd and shadow. any suggestion?
     
    maylcc, Jun 19, 2009
    #4
  5. Ben Morrow <> wrote:
    > Quoth (Jens Thoms Toerring):
    > > maylcc <> wrote:
    > > > my chpass.pl was set to -rwsr-sr-x , with this file permission, I'm
    > > > getting an error: Can't do setuid,

    > >
    > > Yes, that's a feature, not a bug. Setuid'ed sripts can be very
    > > dangerous for a number of reasons and thus Perl doesn't run
    > > them blindly. But you can get the script to run when you switch
    > > on taint mode for the script with the -T command line option
    > > (e.g. by having it in the first line of your script):
    > >
    > > #!/usr/bin/perl -T


    Sorry for spewing non-sense! I thought I remembered something
    like that, did a fast test and things seemed to work for some
    reason... I guess I better don't post while still having a bit
    of a temperature;-)
    Regards, Jens
    --
    \ Jens Thoms Toerring ___
    \__________________________ http://toerring.de
     
    Jens Thoms Toerring, Jun 19, 2009
    #5
  6. On 2009-06-19 10:59, maylcc <> wrote:
    > thanks for your reply. i am trying to implement a test password script
    > which accepts user id and password and using these parameters to auth
    > against the server (linux) /etc/passwd and shadow. any suggestion?


    Take a look at saslauthd. It is intended for exactly this situation
    where a non-privileged process needs to check whether a supplied
    password is correct. There is even a perl module for it:
    http://search.cpan.org/dist/Authen-SASL-Authd/

    hp
     
    Peter J. Holzer, Jun 19, 2009
    #6
  7. maylcc

    J. Gleixner Guest

    maylcc wrote:
    [...]
    > thanks for your reply. i am trying to implement a test password script
    > which accepts user id and password and using these parameters to auth
    > against the server (linux) /etc/passwd and shadow. any suggestion?


    First you say you want to update a password on a Linux server, now
    you're saying you want to auth[enticate] against the server?

    If you want to verify authentication, forget about /etc/passwd
    and simply authenticate using telnet/ssh/whatever, provided
    they have shell access.

    You could also build an htpasswd file, based on /etc/shadow,
    and use HTTP authentication.

    If you're trying to build a Web interface to set shell
    passwords, without some form of pre-authentication, you're asking
    for trouble. The first thing JoeHacker will do is put in
    'root', or your username, and some password, then your
    server is toast.
     
    J. Gleixner, Jun 22, 2009
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Lubavin
    Replies:
    1
    Views:
    3,070
    Steve Grazzini
    Jul 25, 2003
  2. danpres2k
    Replies:
    0
    Views:
    1,470
    danpres2k
    Aug 13, 2003
  3. pasear

    setuid program

    pasear, Oct 7, 2003, in forum: Perl
    Replies:
    3
    Views:
    3,090
    Kris Wempa
    Oct 8, 2003
  4. Chris
    Replies:
    1
    Views:
    850
    Roy Johnson
    Oct 28, 2003
  5. vertigo

    setuid() and getenv()?

    vertigo, Jul 16, 2004, in forum: Perl
    Replies:
    1
    Views:
    691
    Joe Smith
    Jul 17, 2004
Loading...

Share This Page