Re: [BackupPC-users] Re: CGI-error on Debian Sarge Install ( Premature end of script headers: index.cgi)

Wed, 16 Nov 2005 12:31:12 -0800 

> Suidperl should be owned by root and suid, perl should not.  The point
> of the separate suid binary is that it does some additional checking
> and works around the usual race conditions when kernels do the
> suid handling for scripts.

OK, that clarifies things, thanks a lot, Les. Then I should be doing the
opposite of what I was doing:

    # chmod u+s /usr/bin/suidperl

And running the script with that...

I wonder why SuSE doesn´t set the suid bit on suidperl... OK, so I just did
the search I should have done a long time ago (I probably got too
frustrated to go to the bottom of the problem at that point and stopped
investigating when I got things to work):

http://www.novell.com/linux/security/advisories/2004_43_cyrus_imapd.html
says in point 5:

    - suidperl
      SUSE LINUX 9.2 follows the new upstream policy to install
      /usr/bin/suidperl as hardlink to /usr/bin/perl. In previous perl
      versions it used to be a hardlink to /usr/bin/sperl*. Therefore one
      must not set a setuid bit on /usr/bin/suidperl as suggested in the
      RPM package description of perl. Set the bit on /usr/bin/sperl5.8.5
      instead if you really need the suid feature. Also check your
      /etc/permissions.local file for references of /usr/bin/suidperl if
      you where upgrading from previous SUSE LINUX releases.

      SUSE Linux is not affected by this problem in the default
      installation, only if the administrator added the s-bit to
      suidperl.

And it seems that SuSE 9.3, and 10.0 (and Debian too, I read) do the same
thing.

Basically, /usr/bin/perl, /usr/bin/perl5.8.X, and /usr/bin/suidperl are all
hardlinks to the same thing, and /usr/bin/sperl5.8.X is a different
executable, the one whose suid bit should be changed if necessary, instead
of /usr/bin/suidperl.


Bernardo Rechea



-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
BackupPC-users mailing list
BackupPC-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/

Reply via email to