Interesting Perl bug I hit today

Paul Fenwick pjf at
Thu May 8 00:55:23 CDT 2003

Hash: SHA1

G'day everyone,

	I discovered an interesting Perl bug involving setuid today,
tested under 5.6.1.  The result is that a setuid perl script cannot
call itself witout some minor acrobatics.  I put a brief write-up
about this in my diary at <>, but
I've reproduced it below for your reading pleasure.

	See you all at next week's meeting,



Interesting Perl Bug

To see an interesting bug which caused me many headaches, enter the
following script, and mark it setuid. Then run it as any other user
except the owner.

#!/usr/bin/perl -wT
$ENV{PATH} = "";
print "Hello World\n";
system($0,"1") unless @ARGV;

The result is a delightful message about how your kernel has a setuid
script bug which is rather dangerous and easy to exploit... except that
you don't

Perl is just getting confused because it looks like the interpretor has
been started setuid before it's had a chance to do sanity checking and
invoke suidperl. The result is the inability to have a setuid script
invoke itself. Very bothersome.

The solution is to drop setuid privileges before the script calls itself
again. Conveniently enough, Perl allows us to localise $> (effective
UID), so the following program does work as intended:

#!/usr/bin/perl -wT
$ENV{PATH} = "";
print "Hello World\n";
unless (@ARGV) {local $> = $<; system($0,"1");}

Because of the use of local, setuid privileges are only dropped for the
duration of the call to system. Of course, it's usually a good idea to
drop setuid privileges as soon as possible, or only invoke them when you
absolutely have to.

- -- 
Paul Fenwick <pjf at> |
Director of Training                   | Ph:  +61 3 9354 6001
Perl Training Australia                | Fax: +61 3 9354 2681
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


More information about the Melbourne-pm mailing list