Bug 129282

Summary: Perl is built without suid support, even though "suidperl" binary exists
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Gordon Schumacher <whiplash>
Component: OtherAssignee: Michael Schröder <mls>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Final   
Target Milestone: ---   
Hardware: x86   
OS: SuSE Linux 10.0   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gordon Schumacher 2005-10-19 05:07:59 UTC 
The line in the Perl specfile that calls Configure specifies the following settings:
-Dinstallusrbinperl -Dusethreads -Di_db -Di_dbm -Di_ndbm -Di_gdbm

The d_dosuid is required for suid support.  The configure line above does not
set d_dosuid (-Dd_dosuid), and it is not set by default.

In SuSE 9.2, suid Perl scripts worked, but not in 9.3 - which leads me to
believe that this was true under 9.3 as well.

If suid support is genuinely not desired, might I request that you either remove
the suidperl binary entirely (as it is currently misleading) or (better) that
you do what some other distributions have done, which is to put it in a separate
package, so that the sites that require it can still use it.
Comment 1 Marcus Meissner 2005-10-19 09:34:00 UTC 
You need to set the setuid bit on the "sperl5..." binary.
Comment 2 Michael Schröder 2005-10-19 10:32:04 UTC 
d_dosuid is automatically set in the linux hint file. No need to add a Configure option. Check Config_heavy.pl if you don't believe me...
Comment 3 Gordon Schumacher 2005-10-19 15:51:04 UTC 
I do indeed see the d_dosuid in Config_heavy.pl, but setuid was already set on sperl5.8.7:

silverpath:/usr/src/packages/BUILD/perl-5.8.7 # ls -l /usr/bin/suidperl
-rwxr-xr-x  3 root root 1203220 Oct 18 23:01 /usr/bin/suidperl
silverpath:/usr/src/packages/BUILD/perl-5.8.7 # ls -l /usr/bin/sperl5.8.7
-rws--x--x  1 root root 1186160 Oct 18 23:01 /usr/bin/sperl5.8.7

Before I manually added -Dd_dosuid to the specfile, a Perl script with the setuid bit set would not execute.  With the permissions of /usr/bin/suidperl left at 755, I got a "Can't do seteuid!" message; if I changed the permissions to 4755, I got "YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET!  FIX YOUR KERNEL, OR PUT A C WRAPPER AROUND THIS SCRIPT!"  The script is invoking "/usr/bin/suidperl -T".

After I added the -Dd_dosuid to the specfile, everything works...

Is there some other Perl binary file that I need to be referencing for the standard config to work, then?
Comment 4 Michael Schröder 2005-10-19 16:01:26 UTC 
It works for me. Make sure that perl and suidperl is mode 755 and sperl5.8.7 is mode 4711. The script can either contain perl or suidperl after the "#!".
Again: do not change the permissions of suidperl, change sperl5.8.7!

$ cat /tmp/test
#!/usr/bin/perl

print "hello\n";
print "uid = $< euid = $>\n";
$ ls -l /tmp/test
-rwsr-xr-x  1 root root 64 Oct 19 17:55 /tmp/test
$ /tmp/test
hello
uid = 10408 euid = 0
Comment 5 Gordon Schumacher 2005-10-19 17:16:11 UTC 
*doh*

When I did the ls -l above showing setuid on /usr/bin/sperl5.8.7, I'd already installed my new RPM (thus making me think it was correct before too).  Indeed, with the standard RPM installed, setuid isn't enabled, and enabling that fixes it.

Perhaps a knowledgebase entry for this?  I'd looked at the Perl docs and done Google searches for all sorts of things that I thought might be related without ever turning anything useful up (hence why I resorted to trying to rebuild the RPM!)

Thanks for your help on this.