?
Solved

set uid - root - etc

Posted on 2002-04-04
8
Medium Priority
?
206 Views
Last Modified: 2010-04-20
I have written a little utility that I use when I want to make changes to my httpd.conf file.  Now, once that file has been changed I need or course to restart my webserver which I do with
/usr/sbin/server httpd restart
from within the utility, which happens to be written in perl.

The good news, for me at least, is that all works well.  Now, I have been using the utility from the root, and this is why all works well.  But really the utility is secure enough that I could run it from elsewhere without danger.  So, I decided to use setuid, or at least so I thoought.

I did a chmod 4755 on the script, which is of course owned by the root and expected all to work.  It does not.  The files get updated correctly but the restart fails because the server is apparentlky not operating as the root.

How do I make the setuid work the way I need it to.
0
Comment
Question by:lorentg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 150 total points
ID: 6919996
Ahh yes, you've run up against perl's security precautions. The easiest fix is to use sudo to execute the perl code which then doesn't need to be suid. Alternatively you can use a compiled C wrapper that is owned by root and suid.
0
 

Author Comment

by:lorentg
ID: 6921701
Interesting, was not aware of sudo, I will check it out.  However, I still need to understand why even with the -U set in my perl script the system is not actually following the setuid instruction.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6921800
It has to do with built in security precautions in Perl. For the whole story you should read 'perldoc perlsec' for the full story.

Basically the suid bit is being honored, but perl sees that the real and effective UID's differ. And because they differ perl's security check come into play, preventing the script from executing external commands (like via system()) unless special precautions are taken in the script.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:lorentg
ID: 6923920
but it is letting the external commands happen.  It is just doing them as the wrong user.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6924062
Perhaps I phrased part of that last comment wrong. When perl sees the real and effective UIDs being different, as then will be for a suid case, it will use the real UID when it spawns off any external scripts of programs via system(). This action by perl can be eliminated via one of the methods in perlsec.
0
 

Author Comment

by:lorentg
ID: 6924107
ok, give mne a clue in the rigfht direction please, I am not seeing it
0
 

Expert Comment

by:CleanupPing
ID: 9089101
lorentg:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 9303321
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept jlevie's comment as answer.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Cyclops3590
EE Cleanup Volunteer
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month10 days, 8 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question