PERL Beginners - setuid not working with quotes

Author

setuid not working with quotes

Gsandtner Michael

2007-02-21, 6:59 pm

I have a problem with setuid script. I have tracked down to the
following example.
A perl script is setuid, calls another, not setuid script with system.
If the argument contain a quote, setuid is not performed, otherwise it
is set.

cd /home/foo
cat >suid-example <<'_end'
#!/usr/bin/perl
print STDERR "suid-example $< $>\n";
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
$ENV{PATH} =3D "/home/foo";
system("/home/foo/nosuid-example arg");
system("/home/foo/nosuid-example \"arg\"");
_end

chown root.root suid-example
chmod 4755 suid-example

cat >nosuid-example <<'_end'
#!/usr/bin/perl
print STDERR "nosuid-example $< $>\n";
_end

chmod 755 nosuid-example

Executing ./suid-example as non-privileged user sets the effective uid
in the first system call but not in the second.

Any hint greatly appreciated.

--Michi

Tom Phoenix

2007-02-21, 6:59 pm

On 2/21/07, Gsandtner Michael <gsa@adv.magwien.gv.at> wrote:

> system("/home/foo/nosuid-example arg");
> system("/home/foo/nosuid-example \"arg\"");

The difference between these two is that the first runs the example
program, but the second runs a shell and asks it to run the example
program.

When your single argument to system contains shell metacharacters,
such as double quote marks, that string is passed to /bin/sh. That's
the program that knows what to do with those metacharacters. (It's
also the program that's not passing on the set-id state to its child
process, of course. That sounds like a security feature.)

If you don't want to involve a shell, pass a list of arguments to
system. The first item in the list is the program to invoke, and the
remaining items are the arguments to that program, with no extra
quotes needed.

Hope this helps!

--Tom Phoenix
Stonehenge Perl Training

Sponsored Links