Solved

set uid - root - etc

Posted on 2002-04-04
8
199 Views
Last Modified: 2010-04-20
I have written a little utility that I use when I want to make changes to my httpd.conf file.  Now, once that file has been changed I need or course to restart my webserver which I do with
/usr/sbin/server httpd restart
from within the utility, which happens to be written in perl.

The good news, for me at least, is that all works well.  Now, I have been using the utility from the root, and this is why all works well.  But really the utility is secure enough that I could run it from elsewhere without danger.  So, I decided to use setuid, or at least so I thoought.

I did a chmod 4755 on the script, which is of course owned by the root and expected all to work.  It does not.  The files get updated correctly but the restart fails because the server is apparentlky not operating as the root.

How do I make the setuid work the way I need it to.
0
Comment
Question by:lorentg
8 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 6919996
Ahh yes, you've run up against perl's security precautions. The easiest fix is to use sudo to execute the perl code which then doesn't need to be suid. Alternatively you can use a compiled C wrapper that is owned by root and suid.
0
 

Author Comment

by:lorentg
ID: 6921701
Interesting, was not aware of sudo, I will check it out.  However, I still need to understand why even with the -U set in my perl script the system is not actually following the setuid instruction.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6921800
It has to do with built in security precautions in Perl. For the whole story you should read 'perldoc perlsec' for the full story.

Basically the suid bit is being honored, but perl sees that the real and effective UID's differ. And because they differ perl's security check come into play, preventing the script from executing external commands (like via system()) unless special precautions are taken in the script.
0
 

Author Comment

by:lorentg
ID: 6923920
but it is letting the external commands happen.  It is just doing them as the wrong user.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 40

Expert Comment

by:jlevie
ID: 6924062
Perhaps I phrased part of that last comment wrong. When perl sees the real and effective UIDs being different, as then will be for a suid case, it will use the real UID when it spawns off any external scripts of programs via system(). This action by perl can be eliminated via one of the methods in perlsec.
0
 

Author Comment

by:lorentg
ID: 6924107
ok, give mne a clue in the rigfht direction please, I am not seeing it
0
 

Expert Comment

by:CleanupPing
ID: 9089101
lorentg:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 9303321
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept jlevie's comment as answer.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Cyclops3590
EE Cleanup Volunteer
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VMWare 6 crashing 14 100
Best way to split and output to csv in bash 2 61
mcrypt_create_iv() is deprecated 4 80
installing docker on ubuntu 6 11
How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now