|
ru.cgi.perl
- RU.CGI.PERL ------------------------------------------------------------------
From : yurik shestakov 2:5020/400 09 Oct 2001 20:47:35
To : Denis Poznyakov
Subject : Re: suid
--------------------------------------------------------------------------------
Denis Poznyakov <Denis.Poznyakov@p8.f160.n450.z2.fidonet.org> wrote:
VVTm>> HelLo, All!!!
VVTm>> Hарод, кто знает, как писать сабжевые скрипты на перле?????
DP> гы :) а рутовые скрипты ты не писал ?? :)))
DP> ...для такой штуки SuEXEC есть или враппер на худой конец
Угу, но все же лучше читать perldoc perlsec:
========================================================================
Security Bugs
Beyond the obvious problems that stem from giving special
privileges to systems as flexible as scripts, on many
versions of Unix, set-id scripts are inherently insecure
right from the start. The problem is a race condition in
the kernel. Between the time the kernel opens the file to
see which interpreter to run and when the (now-set-id)
interpreter turns around and reopens the file to interpret
it, the file in question may have changed, especially if
you have symbolic links on your system.
Fortunately, sometimes this kernel "feature" can be
disabled. Unfortunately, there are two ways to disable
it. The system can simply outlaw scripts with any set-id
bit set, which doesn't help much. Alternately, it can
simply ignore the set-id bits on scripts. If the latter
is true, Perl can emulate the setuid and setgid mechanism
when it notices the otherwise useless setuid/gid bits on
Perl scripts. It does this via a special executable
called suidperl that is automatically invoked for you if
it's needed.
However, if the kernel set-id script feature isn't
disabled, Perl will complain loudly that your set-id
script is insecure. You'll need to either disable the
kernel set-id script feature, or put a C wrapper around
the script. A C wrapper is just a compiled program that
does nothing except call your Perl program. Compiled
programs are not subject to the kernel bug that plagues
set-id scripts. Here's a simple wrapper, written in C:
#define REAL_PATH "/path/to/script"
main(ac, av)
char **av;
{
execv(REAL_PATH, av);
}
Compile this wrapper into a binary executable and then
make it rather than your script setuid or setgid.
See the program wrapsuid in the eg directory of your Perl
distribution for a convenient way to do this automatically
for all your setuid Perl programs. It moves setuid
scripts into files with the same name plus a leading dot,
and then compiles a wrapper like the one above for each of
them.
========================================================================
DP> Best regards,
DP> internet-programmer Denis Poznyakov
DP> ICQ: 5915230
DP> http://pvdlab.net
DP> pvdenis@pvdlab.net | pvdenis@yahoo.com
DP> ... rm * -r...BEER II INSIDE
--
// yurik shestakov
--- ifmail v.2.15dev5
* Origin: Unknown (2:5020/400)
Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
| Тема: |
Автор: |
Дата: |
|
suid |
Vladimir V. Tsel`m |
09 Oct 2001 14:04:55 |
 suid |
Denis Poznyakov |
09 Oct 2001 18:05:15 |
  Re: suid |
yurik shestakov |
09 Oct 2001 20:47:35 |
|
Re: suid |
Vladimir V. Tsel`m |
10 Oct 2001 13:59:51 |
|
suid |
Denis Poznyakov |
11 Oct 2001 15:35:53 |
|
|
