Interesting Perl bug I hit today

Paul Fenwick pjf at perltraining.com.au
Thu May 8 00:55:23 CDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

G'day everyone,

	I discovered an interesting Perl bug involving setuid today,
tested under 5.6.1.  The result is that a setuid perl script cannot
call itself witout some minor acrobatics.  I put a brief write-up
about this in my diary at <http://advogato.net/person/pjf>, but
I've reproduced it below for your reading pleasure.

	See you all at next week's meeting,

		Paul

(From http://advogato.net/person/pjf/)

Interesting Perl Bug

To see an interesting bug which caused me many headaches, enter the
following script, and mark it setuid. Then run it as any other user
except the owner.

#!/usr/bin/perl -wT
$ENV{PATH} = "";
print "Hello World\n";
system($0,"1") unless @ARGV;

The result is a delightful message about how your kernel has a setuid
script bug which is rather dangerous and easy to exploit... except that
you don't

Perl is just getting confused because it looks like the interpretor has
been started setuid before it's had a chance to do sanity checking and
invoke suidperl. The result is the inability to have a setuid script
invoke itself. Very bothersome.

The solution is to drop setuid privileges before the script calls itself
again. Conveniently enough, Perl allows us to localise $> (effective
UID), so the following program does work as intended:

#!/usr/bin/perl -wT
$ENV{PATH} = "";
print "Hello World\n";
unless (@ARGV) {local $> = $<; system($0,"1");}

Because of the use of local, setuid privileges are only dropped for the
duration of the call to system. Of course, it's usually a good idea to
drop setuid privileges as soon as possible, or only invoke them when you
absolutely have to.

- -- 
Paul Fenwick <pjf at perltraining.com.au> | http://perltraining.com.au/
Director of Training                   | Ph:  +61 3 9354 6001
Perl Training Australia                | Fax: +61 3 9354 2681
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+ufFKx5N6j7FHnlURAnDIAJ9BEXBGw5Co1ZVjaTZXySdUKhPsEQCdHkuw
FuO3U9IHak8/SH6vmmvf54k=
=3LmC
-----END PGP SIGNATURE-----

More information about the Melbourne-pm mailing list