trouble writing a setuid script

[Peter Michaux]

Hi,

I'm trying to write a setuid script and can't make it happen. I've
trimmed it down to the very simple example below trying to have a
logger.pl script add a message to a log file. This is my Bash
transcript with all the pertinent details.

$ ls -Al
total 8
-rw-r--r-- 1 root wheel 0 29 Aug 23:52 log
-rwsr-xr-x 1 root wheel 145 29 Aug 23:52 logger.pl*
$ cat log
$ cat logger.pl
#!/usr/bin/perl -w

use strict;
use warnings;

my $FILE;
open(FILE, ">> log") or die "couldn't open: ";
print(FILE "hello, world");
close(FILE);
$ whoami
peter
$ ./logger.pl
couldn't open: at ./logger.pl line 7.
$ sudo ./logger.pl
Password:
$ cat log
hello, world

So the script works when I "sudo" but not when the script runs as my
normal "peter" user.

Any ideas why it doesn't work and what I need to change?

(I don't run into any errors when writing the same program in C.)

Thanks,
Peter

 

[magloca]

Peter Michaux @ Saturday 30 August 2008 09:07:

Hi,

I'm trying to write a setuid script and can't make it happen. I've
trimmed it down to the very simple example below trying to have a
logger.pl script add a message to a log file. This is my Bash
transcript with all the pertinent details. [code snipped]
(I don't run into any errors when writing the same program in C.)

Yeah, I tried to do something like that once, too. Turned out the setuid
flag is ignored on scripts; it's only allowed on (binary) executables.
So that's also why your compiled C program works.

m.

 

[Peter Michaux]

Peter Michaux @ Saturday 30 August 2008 09:07:

Hi,

I'm trying to write a setuid script and can't make it happen. I've
trimmed it down to the very simple example below trying to have a
logger.pl script add a message to a log file. This is my Bash
transcript with all the pertinent details. [code snipped]
(I don't run into any errors when writing the same program in C.)

Yeah, I tried to do something like that once, too. Turned out the setuid
flag is ignored on scripts; it's only allowed on (binary) executables.
So that's also why your compiled C program works.

It seems it must be possible to write a setuid script because there is
a lot of fuss about it in "perldoc perlsec" which is also part of the
camel book.

Peter

 

[Joost Diepenmaat]

It seems it must be possible to write a setuid script because there is
a lot of fuss about it in "perldoc perlsec" which is also part of the
camel book.

It's possible, but IIRC "most" linux systems ignore suid bits on
scripts. Not sure about other *nixes.

 

[Grant]

Peter Michaux @ Saturday 30 August 2008 09:07:

Hi,

I'm trying to write a setuid script and can't make it happen. I've
trimmed it down to the very simple example below trying to have a
logger.pl script add a message to a log file. This is my Bash
transcript with all the pertinent details. [code snipped]
(I don't run into any errors when writing the same program in C.)

Yeah, I tried to do something like that once, too. Turned out the setuid
flag is ignored on scripts; it's only allowed on (binary) executables.
So that's also why your compiled C program works.

It seems it must be possible to write a setuid script because there is
a lot of fuss about it in "perldoc perlsec" which is also part of the
camel book.

Just add a C wrapper to call the script, something like:

#!/bin/bash
set -x
rm -f $1.c
rm -f ../$1.cgi
rm -f $1.cgi

echo "main () {
execl (\"$PWD/$1\", \"$1\", (char *)0 );
printf(\"Content-type: text/plain\\n\\n\");
printf(\"$1.cgi: fatal - failed to start $1, wait, then refresh.\\n\");
}
" > $1.c

gcc $1.c -o $1.cgi
strip -s $1.cgi
chmod 04555 $1.cgi
mv $1.cgi ../
rm -f $1.c

Grant.

 

[Jürgen Exner]

It seems it must be possible to write a setuid script [...]

Yes, it is. The question is, if you _OS_ will execute scripts as SUID or
not. This applies to any script, not just scripts written in Perl.

jue