Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!linac!convex!usenet
From: tchrist@convex.COM (Tom Christiansen)
Newsgroups: comp.lang.perl
Subject: Re: suidperl 4.003 on a Convex
Keywords: suidperl disabled setuid-scripts
Message-ID: <1991May18.130923.10322@convex.com>
Date: 18 May 91 13:09:23 GMT
References: <1991May16.180137.25776@bernina.ethz.ch>
Sender: usenet@convex.com (news access account)
Reply-To: tchrist@convex.COM (Tom Christiansen)
Organization: CONVEX Software Development, Richardson, TX
Lines: 35
Nntp-Posting-Host: pixel.convex.com

From the keyboard of karrer@bernina.ethz.ch (Andreas Karrer):
:I followed Tom Christiansen's instructions on how to compile perl 4.003
:with the ANSI standard Convex cc (no -pcc).
:
:Now I have a problem with setuid perl scripts. It seems that under
:ConvexOS 9.0 Convex has "fixed" the security problem inherent in 
:set[ug]id #!-scripts. From the chmod(2) man page:
:
:     ...  Additionally, shell
:     scripts which have either the set-user-ID bit or set-group-
:     ID bit set will not execute if the caller's user/group-ID
:     does not match that of the script.
:
:In other words, when you try to run a set[ug]id script, you just get:
:
:	"./script: Not owner."
:
:and suidperl has no chance of ever getting invoked.
:
:What they should have done is that the kernel just ignores the 
:set[ug]id bits before it execve's the script.

Tell me about it!  If you're a customer of ours (as it appears you are)
I urge you to submit a bug report (contact report) about this.  I need
more ammo. :-)

A bizarre work-around is that while you can't execute "script" directly,
saying "perl script" makes all the right things happen.  You can put
script in .script.real, and make script say "exec perl .$0.real $@" or
some such.

--tom
--
Tom Christiansen		tchrist@convex.com	convex!tchrist
		"So much mail, so little time."