[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 212
  • Last Modified:

set uid - root - etc

I have written a little utility that I use when I want to make changes to my httpd.conf file.  Now, once that file has been changed I need or course to restart my webserver which I do with
/usr/sbin/server httpd restart
from within the utility, which happens to be written in perl.

The good news, for me at least, is that all works well.  Now, I have been using the utility from the root, and this is why all works well.  But really the utility is secure enough that I could run it from elsewhere without danger.  So, I decided to use setuid, or at least so I thoought.

I did a chmod 4755 on the script, which is of course owned by the root and expected all to work.  It does not.  The files get updated correctly but the restart fails because the server is apparentlky not operating as the root.

How do I make the setuid work the way I need it to.
0
lorentg
Asked:
lorentg
1 Solution
 
jlevieCommented:
Ahh yes, you've run up against perl's security precautions. The easiest fix is to use sudo to execute the perl code which then doesn't need to be suid. Alternatively you can use a compiled C wrapper that is owned by root and suid.
0
 
lorentgAuthor Commented:
Interesting, was not aware of sudo, I will check it out.  However, I still need to understand why even with the -U set in my perl script the system is not actually following the setuid instruction.
0
 
jlevieCommented:
It has to do with built in security precautions in Perl. For the whole story you should read 'perldoc perlsec' for the full story.

Basically the suid bit is being honored, but perl sees that the real and effective UID's differ. And because they differ perl's security check come into play, preventing the script from executing external commands (like via system()) unless special precautions are taken in the script.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
lorentgAuthor Commented:
but it is letting the external commands happen.  It is just doing them as the wrong user.
0
 
jlevieCommented:
Perhaps I phrased part of that last comment wrong. When perl sees the real and effective UIDs being different, as then will be for a suid case, it will use the real UID when it spawns off any external scripts of programs via system(). This action by perl can be eliminated via one of the methods in perlsec.
0
 
lorentgAuthor Commented:
ok, give mne a clue in the rigfht direction please, I am not seeing it
0
 
CleanupPingCommented:
lorentg:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
Cyclops3590Commented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept jlevie's comment as answer.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Cyclops3590
EE Cleanup Volunteer
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now