how to get perl to do root things

[Marty Pauley]

On Wed Mar 28 21:14:31 2001, Russell wrote:
> On Wed, Mar 28, 2001 at 08:31:29PM -0000, Scott McWhirter wrote:
> > anyone have a good link for how to get perl to run certain things like root 
> > even when a normal user is running the script? (ndc and cp inpeticular).
> 
> I have no experience of it, but I'd expect you'd want to run it set uid as
> whoever has permission to correctly run ndc and to copy the files you
> require.
> chmod u+s <file> should do this, if it is owned by the correct user.
> man chmod for more information, or do a web search for set uid / suid
> information.

That won't normally work on any sensible 'nix flavour, like Linux.
Setuid on scripts should be ignored because enabling it can create lots
of security holes.

Since you are using Perl, there is a transparent workaround that will
work.  You need to install suidperl.  Then, when you try to execute your
setuid script, this happens:
1. the kernel has a look at your script to get the interpreter name,
   ignoring the setuid bits;
2. the kernel runs the interpreter (perl) as the normal user;
3. Perl starts up and has a look at you script;  Perl notices the setuid
   bit on the script, does a few sanity checks, and then tries to run
   suidperl instead.
4. the kernel looks at suidperl: it is a binary with setuid, so the
   kernel runs it setuid;
5. suidperl starts up and has a look at your script;  it notices the
   setuid bit and does a seteuid to the script owner;
6. your script runs with the privs of you.

When developing such scripts (any scripts?), make sure you include the
-T flag in the top line: #!/usr/bin/perl -Tw
suidperl automatically enables tainting, but it is better for you if you
explicitly enable it as well.

-- 
Marty
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 264 bytes
Desc: not available
Url : http://mail.pm.org/archives/belfast-pm/attachments/20010329/51980483/attachment.bin