Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!uunet!munnari.oz.au!yarra-glen!pem
From: pem@yarra-glen.aaii.oz.au (Paul E. Maisano)
Newsgroups: comp.lang.perl
Subject: Re: Setuid/setgid scripts
Message-ID: <1400@yarra-glen.aaii.oz.au>
Date: 27 Mar 90 05:01:17 GMT
References: <1395@frankland-river.aaii.oz.au> <7557@jpl-devvax.JPL.NASA.GOV>
Organization: Australian AI Institute
Lines: 66

In article <7557@jpl-devvax.JPL.NASA.GOV>, lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) writes:
> 
> This is odd, because I just ran a setgid script here with no problem.  The
> script says
> 
> 	#!/usr/bin/perl
> 	print "$(\n$)\n";
> 
> I wrapped it with a wrapper very much like the one above, and it works fine.
> I run it and it says
> 
> 	20 35 10 3 0 20
> 	25 35 10 3 0 20
> 
> I'm running it under SunOS 4.0.3.

Ok, things are starting to look interesting...

I'm running it under 4.0.3 as well, on a Sparcstation-1.

I've narrowed it down to the following weirdness -- it looks like it has
something to do with uninitialized array elements but I don't understand
why having the effective group id different from the real gid triggers it.

Here is how I repeat it:

I have a perl script called 'bug' and a C-wrapper which runs './bug'.
I compile the C wrapper, and run it and it works fine.
I do a "chmod g+s a.out" (or whatever I compiled the wrapper into) and it
causes a segmentation fault when I run it.

-------cut here for C-wrapper----------
main(ac, av)
char    **av;
{
    execv("./bug", av);
}
-------cut here for perl-program called 'bug'-----
#!/usr/bin/perl
 
warn "$(\n$)\n";

$array[1] = "y";
$var = " @array ";              # this line dumps core when egid != rgid
print "var=<$var>\n";
-------cut here------

Making the real group id the same as the effective gid fixes it, whether by
not making the wrapper setgid or by adding "setrgid(getegid());" before
the call to execv().

The work around is obvious; just make sure you have no uninitialized
array elements. 

If this is a weird bug with uninitialized array elements I can't wait
to hear why the effective group id has something to do with it.

BTW, How do you disable setuid shell scripts in the kernel? The perl manual
seems to imply that it is a straightforward thing to do.

------------------
Paul E. Maisano
Australian Artificial Intelligence Institute
1 Grattan St. Carlton, Vic. 3053, Australia
Ph: +613 663-7922  Fax: +613 663-7937
Email: pem@aaii.oz.au   UUCP: {uunet,mcsun,ukc,nttlab}!munnari!aaii.oz.au!pem