Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > SetUID

Reply
Thread Tools

SetUID

 
 
maylcc
Guest
Posts: n/a
 
      06-19-2009
I'm having problem running my copied script to my server. Can anybody
who is
patient enough to help me with my problem?

I have a chpass.pl which is being executed by a change password web
utility page. This script tries to update a password on my linux
server /etc/shadow with a file permision rw------.

my chpass.pl was set to -rwsr-sr-x , with this file permission, I'm
getting an
error: Can't do setuid, When I chmod 777 the /etc/shadow then
everything
works but I'm sure its not safe to do that.

I cannot figure out how could I make this work with the original file
permission
of the files shadow and chpass.pl. Any help would be very much
appreciated.
Thanks
 
Reply With Quote
 
 
 
 
Jens Thoms Toerring
Guest
Posts: n/a
 
      06-19-2009
maylcc <(E-Mail Removed)> wrote:
> I'm having problem running my copied script to my server. Can anybody who is
> patient enough to help me with my problem?


> I have a chpass.pl which is being executed by a change password web
> utility page. This script tries to update a password on my linux
> server /etc/shadow with a file permision rw------.


Mmmm, sounds like something with a lot of potential security
risks. Why not let the user change his/her password when
logged in the normal way? Not everything is suitable for
being done via a web page...

> my chpass.pl was set to -rwsr-sr-x , with this file permission, I'm
> getting an error: Can't do setuid,


Yes, that's a feature, not a bug. Setuid'ed sripts can be very
dangerous for a number of reasons and thus Perl doesn't run
them blindly. But you can get the script to run when you switch
on taint mode for the script with the -T command line option
(e.g. by having it in the first line of your script):

#!/usr/bin/perl -T

Of course, this will require that your script is written in a
way that allows it to run in taint mode, e.g. all external
input must be checked, the environment laundered etc. See

perldoc perlsec

for a longer description. But then Perl CGI scripts etc. should
be run in taint mode anyway to help you avoid the most stupid
security mistakes

> When I chmod 777 the /etc/shadow then everything
> works but I'm sure its not safe to do that.


It's definitely not safe! Never do that, /etc/shadow isn't meant
to be seen by anything but programs that run with root permis-
sions!
Regards, Jens
--
\ Jens Thoms Toerring ___ http://www.velocityreviews.com/forums/(E-Mail Removed)
\__________________________ http://toerring.de
 
Reply With Quote
 
 
 
 
maylcc
Guest
Posts: n/a
 
      06-19-2009
On Jun 19, 6:45*pm, Ben Morrow <(E-Mail Removed)> wrote:
> Quoth maylcc <(E-Mail Removed)>:
>
> > I'm having problem running my copied script to my server. Can anybody
> > who is
> > patient enough to help me with my problem?

>
> > I have a chpass.pl which is being executed by a change password web
> > utility page. This script tries to update a password on my linux
> > server /etc/shadow with a file permision rw------.

>
> > my chpass.pl was set to -rwsr-sr-x , with this file permission, I'm

>
> Why are you trying to run both setuid and setgid?
>
> > getting an
> > error: Can't do setuid, When I chmod 777 the /etc/shadow then
> > everything
> > works but I'm sure its not safe to do that.

>
> Please don't take this the wrong way, but I *really* think you shouldn't
> be trying to write this. You clearly don't know enough about Unix
> security to have any chance of getting it right. For a start, you should
> *never* be trying to run a CGI script as root.
>
> The error you are getting is because you are on a system which doesn't
> have secure setid scripts (or where perl doesn't know you have them),
> and you don't have suidperl installed. This is the case for an ordinary
> perl install on BSD, for example. You should turn off the setid bits on
> the script, as they are not going to do anything useful.
>
> If you insist on writing this, you need to find some way to change the
> password without writing to /etc/shadow directly. Running passwd(1)
> under sudo might be one way, assuming you can grant yourself the
> appropriate sudo rights.
>
> Ben


thanks for your reply. i am trying to implement a test password script
which accepts user id and password and using these parameters to auth
against the server (linux) /etc/passwd and shadow. any suggestion?



 
Reply With Quote
 
maylcc
Guest
Posts: n/a
 
      06-19-2009
On Jun 19, 6:30*pm, (E-Mail Removed) (Jens Thoms Toerring) wrote:
> maylcc <(E-Mail Removed)> wrote:
> > I'm having problem running my copied script to my server. Can anybody who is
> > patient enough to help me with my problem?
> > I have a chpass.pl which is being executed by a change password web
> > utility page. This script tries to update a password on my linux
> > server /etc/shadow with a file permision rw------.

>
> Mmmm, sounds like something with a lot of potential security
> risks. Why not let the user change his/her password when
> logged in the normal way? Not everything is suitable for
> being done via a web page...
>
> > my chpass.pl was set to -rwsr-sr-x , with this file permission, I'm
> > getting an error: Can't do setuid,

>
> Yes, that's a feature, not a bug. Setuid'ed sripts can be very
> dangerous for a number of reasons and thus Perl doesn't run
> them blindly. But you can get the script to run when you switch
> on taint mode for the script with the -T command line option
> (e.g. by having it in the first line of your script):
>
> #!/usr/bin/perl -T
>
> Of course, this will require that your script is written in a
> way that allows it to run in taint mode, e.g. all external
> input must be checked, the environment laundered etc. See
>
> perldoc perlsec
>
> for a longer description. But then Perl CGI scripts etc. should
> be run in taint mode anyway to help you avoid the most stupid
> security mistakes
>
> > When I chmod 777 the /etc/shadow then everything
> > works but I'm sure its not safe to do that.

>
> It's definitely not safe! Never do that, /etc/shadow isn't meant
> to be seen by anything but programs that run with root permis-
> sions!
> * * * * * * * * * * * * * * * Regards, Jens
> --
> * \ * Jens Thoms Toerring *___ * * *(E-Mail Removed)
> * *\__________________________ * * *http://toerring.de


thanks for your reply. i am trying to implement a test password script
which accepts user id and password and using these parameters to auth
against the server (linux) /etc/passwd and shadow. any suggestion?

 
Reply With Quote
 
Jens Thoms Toerring
Guest
Posts: n/a
 
      06-19-2009
Ben Morrow <(E-Mail Removed)> wrote:
> Quoth (E-Mail Removed) (Jens Thoms Toerring):
> > maylcc <(E-Mail Removed)> wrote:
> > > my chpass.pl was set to -rwsr-sr-x , with this file permission, I'm
> > > getting an error: Can't do setuid,

> >
> > Yes, that's a feature, not a bug. Setuid'ed sripts can be very
> > dangerous for a number of reasons and thus Perl doesn't run
> > them blindly. But you can get the script to run when you switch
> > on taint mode for the script with the -T command line option
> > (e.g. by having it in the first line of your script):
> >
> > #!/usr/bin/perl -T


Sorry for spewing non-sense! I thought I remembered something
like that, did a fast test and things seemed to work for some
reason... I guess I better don't post while still having a bit
of a temperature
Regards, Jens
--
\ Jens Thoms Toerring ___ (E-Mail Removed)
\__________________________ http://toerring.de
 
Reply With Quote
 
Peter J. Holzer
Guest
Posts: n/a
 
      06-19-2009
On 2009-06-19 10:59, maylcc <(E-Mail Removed)> wrote:
> thanks for your reply. i am trying to implement a test password script
> which accepts user id and password and using these parameters to auth
> against the server (linux) /etc/passwd and shadow. any suggestion?


Take a look at saslauthd. It is intended for exactly this situation
where a non-privileged process needs to check whether a supplied
password is correct. There is even a perl module for it:
http://search.cpan.org/dist/Authen-SASL-Authd/

hp
 
Reply With Quote
 
J. Gleixner
Guest
Posts: n/a
 
      06-22-2009
maylcc wrote:
[...]
> thanks for your reply. i am trying to implement a test password script
> which accepts user id and password and using these parameters to auth
> against the server (linux) /etc/passwd and shadow. any suggestion?


First you say you want to update a password on a Linux server, now
you're saying you want to auth[enticate] against the server?

If you want to verify authentication, forget about /etc/passwd
and simply authenticate using telnet/ssh/whatever, provided
they have shell access.

You could also build an htpasswd file, based on /etc/shadow,
and use HTTP authentication.

If you're trying to build a Web interface to set shell
passwords, without some form of pre-authentication, you're asking
for trouble. The first thing JoeHacker will do is put in
'root', or your username, and some password, then your
server is toast.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
setuid() and getenv()? vertigo Perl 1 07-17-2004 08:32 AM
Can't do setuid and file permission denied Chris Perl 1 10-28-2003 03:34 PM
setuid program pasear Perl 3 10-08-2003 05:39 PM
Help untaining the command. Insecure dependency in `` ... setuid danpres2k Perl 0 08-13-2003 03:21 PM
chmod or setuid? Need to give script permission to write files Michael Lubavin Perl 1 07-25-2003 01:16 AM



Advertisments