subject:"setuid question\: insecure dependency\?"

Re: setuid question: insecure dependency?

2001-09-20 Thread Justin Simoni


Here's the link to Stein's user_manage program,

http://stein.cshl.org/~lstein/user_manage/

Perhaps you can get some pointers from that script, it has a web based and
terminal based Interface thing.

justin.
http://skazat.com


 The problem isn't setuid Perl it's that suid forces taintmode on. Read all
 available docs on taintmode.
 
 In particular start with Lincoln Stein's Web security FAQ at the
 www.w3c.org website... and re-read perldoc perlsec as you've stated you've
 done, but this time pay attention to the taintmode stuff.
 
 Lincoln Stein also has a good article on calling setuid stuff like changing
 passwords from a Web App in one of the past Perl Journal issues, but I
 can't recall which one at the moment. It was quite a good article though as
 it went through the pros and cons of several different ways of doing it.
 
 Later,
   Gunther
 
 At 05:14 PM 9/19/2001 -0400, Andria Thomas wrote:
 Hi all --
 
 I'm trying to write a setuid script to change passwords on a machine via
 the web.  I am not trying to change the local passwords (i.e. *not*
 modifying /etc/password), but I do need the script to be run as root so
 it can call another password-changing utility which is doing the actual
 work.
 
 When run from the command line as root, the script works fine. However,
 when run as myself (after setting the script to be setuid root) I get
 the following error generated from the script's system call:
 
 Insecure dependency in system while running setuid at ./chpass_web.pl
 line 159.
 
 Perl is installed on this system to use suid emulation, so it's calling
 the 'suidperl' binary.  The problem originates from the following line
 of code:
 
 system /bin/echo $new_password1 | /usr/local/sbin/saslpasswd -p
 $in_username;
 
 The documentation I've seen implies that variables can't be passed
 directly into the shell, as they are above, but I couldn't reword the
 system call in any way that still enabled it to work.
 
 Can anyone help with this?  Or lead me to any pointers on suidperl?
 I've already read the perlsec manpage, and searched through the mailing
 list archives...
 
 Thanks!
 Andria
 
 --
 --
 Andria Thomas [EMAIL PROTECTED]
 System Administrator -- Tovaris, Inc.
 (434) 245-5309 x 105
 
 
 --
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 __
 Gunther Birznieks ([EMAIL PROTECTED])
 eXtropia - The Open Web Technology Company
 http://www.eXtropia.com/
 


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: setuid question: insecure dependency?

2001-09-19 Thread Gunther Birznieks


The problem isn't setuid Perl it's that suid forces taintmode on. Read all 
available docs on taintmode.

In particular start with Lincoln Stein's Web security FAQ at the 
www.w3c.org website... and re-read perldoc perlsec as you've stated you've 
done, but this time pay attention to the taintmode stuff.

Lincoln Stein also has a good article on calling setuid stuff like changing 
passwords from a Web App in one of the past Perl Journal issues, but I 
can't recall which one at the moment. It was quite a good article though as 
it went through the pros and cons of several different ways of doing it.

Later,
Gunther

At 05:14 PM 9/19/2001 -0400, Andria Thomas wrote:
Hi all --

I'm trying to write a setuid script to change passwords on a machine via
the web.  I am not trying to change the local passwords (i.e. *not*
modifying /etc/password), but I do need the script to be run as root so
it can call another password-changing utility which is doing the actual
work.

When run from the command line as root, the script works fine. However,
when run as myself (after setting the script to be setuid root) I get
the following error generated from the script's system call:

Insecure dependency in system while running setuid at ./chpass_web.pl
line 159.

Perl is installed on this system to use suid emulation, so it's calling
the 'suidperl' binary.  The problem originates from the following line
of code:

system /bin/echo $new_password1 | /usr/local/sbin/saslpasswd -p
$in_username;

The documentation I've seen implies that variables can't be passed
directly into the shell, as they are above, but I couldn't reword the
system call in any way that still enabled it to work.

Can anyone help with this?  Or lead me to any pointers on suidperl?
I've already read the perlsec manpage, and searched through the mailing
list archives...

Thanks!
Andria

--
--
Andria Thomas [EMAIL PROTECTED]
System Administrator -- Tovaris, Inc.
(434) 245-5309 x 105


--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

__
Gunther Birznieks ([EMAIL PROTECTED])
eXtropia - The Open Web Technology Company
http://www.eXtropia.com/


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: setuid question: insecure dependency?

Re: setuid question: insecure dependency?

2 matches

Site Navigation

Mail list logo

Footer information