Solved

set uid - root - etc

Posted on 2002-04-04
8
204 Views
Last Modified: 2010-04-20
I have written a little utility that I use when I want to make changes to my httpd.conf file.  Now, once that file has been changed I need or course to restart my webserver which I do with
/usr/sbin/server httpd restart
from within the utility, which happens to be written in perl.

The good news, for me at least, is that all works well.  Now, I have been using the utility from the root, and this is why all works well.  But really the utility is secure enough that I could run it from elsewhere without danger.  So, I decided to use setuid, or at least so I thoought.

I did a chmod 4755 on the script, which is of course owned by the root and expected all to work.  It does not.  The files get updated correctly but the restart fails because the server is apparentlky not operating as the root.

How do I make the setuid work the way I need it to.
0
Comment
Question by:lorentg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 6919996
Ahh yes, you've run up against perl's security precautions. The easiest fix is to use sudo to execute the perl code which then doesn't need to be suid. Alternatively you can use a compiled C wrapper that is owned by root and suid.
0
 

Author Comment

by:lorentg
ID: 6921701
Interesting, was not aware of sudo, I will check it out.  However, I still need to understand why even with the -U set in my perl script the system is not actually following the setuid instruction.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6921800
It has to do with built in security precautions in Perl. For the whole story you should read 'perldoc perlsec' for the full story.

Basically the suid bit is being honored, but perl sees that the real and effective UID's differ. And because they differ perl's security check come into play, preventing the script from executing external commands (like via system()) unless special precautions are taken in the script.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:lorentg
ID: 6923920
but it is letting the external commands happen.  It is just doing them as the wrong user.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6924062
Perhaps I phrased part of that last comment wrong. When perl sees the real and effective UIDs being different, as then will be for a suid case, it will use the real UID when it spawns off any external scripts of programs via system(). This action by perl can be eliminated via one of the methods in perlsec.
0
 

Author Comment

by:lorentg
ID: 6924107
ok, give mne a clue in the rigfht direction please, I am not seeing it
0
 

Expert Comment

by:CleanupPing
ID: 9089101
lorentg:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 9303321
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept jlevie's comment as answer.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Cyclops3590
EE Cleanup Volunteer
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question