Solved

set uid - root - etc

Posted on 2002-04-04
8
198 Views
Last Modified: 2010-04-20
I have written a little utility that I use when I want to make changes to my httpd.conf file.  Now, once that file has been changed I need or course to restart my webserver which I do with
/usr/sbin/server httpd restart
from within the utility, which happens to be written in perl.

The good news, for me at least, is that all works well.  Now, I have been using the utility from the root, and this is why all works well.  But really the utility is secure enough that I could run it from elsewhere without danger.  So, I decided to use setuid, or at least so I thoought.

I did a chmod 4755 on the script, which is of course owned by the root and expected all to work.  It does not.  The files get updated correctly but the restart fails because the server is apparentlky not operating as the root.

How do I make the setuid work the way I need it to.
0
Comment
Question by:lorentg
8 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
ID: 6919996
Ahh yes, you've run up against perl's security precautions. The easiest fix is to use sudo to execute the perl code which then doesn't need to be suid. Alternatively you can use a compiled C wrapper that is owned by root and suid.
0
 

Author Comment

by:lorentg
ID: 6921701
Interesting, was not aware of sudo, I will check it out.  However, I still need to understand why even with the -U set in my perl script the system is not actually following the setuid instruction.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6921800
It has to do with built in security precautions in Perl. For the whole story you should read 'perldoc perlsec' for the full story.

Basically the suid bit is being honored, but perl sees that the real and effective UID's differ. And because they differ perl's security check come into play, preventing the script from executing external commands (like via system()) unless special precautions are taken in the script.
0
 

Author Comment

by:lorentg
ID: 6923920
but it is letting the external commands happen.  It is just doing them as the wrong user.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 40

Expert Comment

by:jlevie
ID: 6924062
Perhaps I phrased part of that last comment wrong. When perl sees the real and effective UIDs being different, as then will be for a suid case, it will use the real UID when it spawns off any external scripts of programs via system(). This action by perl can be eliminated via one of the methods in perlsec.
0
 

Author Comment

by:lorentg
ID: 6924107
ok, give mne a clue in the rigfht direction please, I am not seeing it
0
 

Expert Comment

by:CleanupPing
ID: 9089101
lorentg:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 9303321
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept jlevie's comment as answer.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Cyclops3590
EE Cleanup Volunteer
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In this tutorial I will explain how to make squid prevent malwares in five easy steps: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-…
If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now