Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!apple!usc!samsung!munnari.oz.au!frankland-river!pem
From: pem@frankland-river.aaii.oz.au (Paul E. Maisano)
Newsgroups: comp.lang.perl
Subject: Setuid/setgid scripts
Message-ID: <1395@frankland-river.aaii.oz.au>
Date: 25 Mar 90 07:04:34 GMT
Organization: Australian AI Institute
Lines: 62


I am trying to run a perl script setgid but have had some problems.

I am running perl under SUNOS 4.0, so scripts are insecure.
Perl reminded me of this loudly after I made the script setgid.

I don't know how to disable setuid/setgid scripts in the kernel (but
would be interested in finding out). Also I don't have the undump program
handy. So I decided I would simply put a setgid C wrapper around the script.
Something like:
    main(ac, av)
    char **av;
    {
	execv("/usr/local/bin/script", av);
    }

I tried this without changing the mode of the wrapper to be setgid. It ran
ok but without access to the files I needed, as expected.
As soon as I made the wrapper setgid, perl started dumping core.
It stopped dumping core after I added the following line before the execv.
    setrgid(getegid());

Can anyone enlighten me about this ?

This wrapper is still no good but it's not perl's fault. The documented
behaviour of setrgid() on my system (and most other UNIXes, I believe)
is to take away the access privileges which you had by virtue of the
group you are leaving.

So in other words, this wrapper allows me to access the files I could
not access before but denies me access to some files which I used to
have access to before.

I can't seem to get this working cleanly, so I was wondering if anyone
had any ideas.
 
My current solution is to make the C-wrapper setuid-root as well, so that
it can preserve the original group access list. But it seems like overkill
to have to make it setuid-root.

#include <sys/param.h>

char err[] = "exec failed\n";
int  groups[NGROUPS];

main(ac, av)
char    **av;
{
    int n = getgroups(NGROUPS, groups);
    setrgid(getegid());
    setgroups(n, groups);
    setuid(getuid());
    execv("/usr/local/bin/script", av);
    write(2, err, sizeof err);
}

------------------
Paul E. Maisano
Australian Artificial Intelligence Institute
1 Grattan St. Carlton, Vic. 3053, Australia
Ph: +613 663-7922  Fax: +613 663-7937
Email: pem@aaii.oz.au   UUCP: {uunet,mcsun,ukc,nttlab}!munnari!aaii.oz.au!pem