Bug 51825

Summary: Setuid and other Perl problems with bash
Product: [Retired] Red Hat Linux Reporter: jra
Component: bashAssignee: Bernhard Rosenkraenzer <bero>
Status: CLOSED NOTABUG QA Contact: Aaron Brown <abrown>
Severity: high Docs Contact:
Priority: medium    
Version: 7.1   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-08-28 17:59:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description jra 2001-08-15 16:05:36 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

Description of problem:
When executing an suid Perl script with owner root, the script does not 
run with root privileges as expected.  In our case, the Perl script 
executes an email authentication program using the backticks command.  The 
default owner, group and permissions for the authentication program are 
mail mail 770 respectively.  The workaround was to change the owner and 
group to root http (same as the Perl script).

The other bug with bash is that it is impossible to pass any double quote 
characters to the shell via Perl's backtick command even with a preceeding 
backslash.  At first a problem with Perl was suspected but after changing 
the shell to ash (a tip from Bug Report 44001), everything works.  
Unfortunately if one changes the /bin/sh link to ash, many of the startup 
scripts fail.  Neither the suid problem nor the double quote problem 
appear in RedHat 6.2 and its corresponding bash shell which we have been 
using for a year now.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Write Perl script that uses a backtick command and passes double quote 
characters such as "\\\" \\\"".  The extra backslash is needed by the 
2. Execute a program that needs the double quote characters as part of its 
command line.

Actual Results:  The double quote characters are not passed to the shell 
and the program that needs them does not execute properly.

Expected Results:  Any program needing double quote characters on the 
command line should receive them when Perl hands them off to the shell via 
the backtick command.

Additional info:

I consider this a high priority bug because the system "as-is" does not 
work since we upgraded to 7.1 and we have had to revert back to 6.2 

Comment 1 Bernhard Rosenkraenzer 2001-08-15 16:27:03 UTC
setuid: Not a bug, but a security feature. It is not safe to make scripts 
setuid root, therefore we disallow it.
If you absolutely need a setuid root script, you have to write a wrapper, e.g.

int main(int argc, char **argv)
	setuid(0); seteuid(0); return system("your script");

and make that setuid root.

For the backtick problem, please attach a sample script so I can see what's 
going on, chances are it's another intentional change though (please check the 
bash documentation on new features in 2.x).

Comment 2 jra 2001-08-15 16:53:46 UTC
Here are the lines from the Perl Script.  The first set of lines are from a 
routine that formats the new user info line.  The second set of lines make up 
the nwauth (the email authentication program) routine.

$infogroup = "fwd=\"$fwd\" "."info=\"$info\" "."groups=\"$groups\"";
$infogroup =~ s/\"/\\\"/g;  ## backslashed parens needed for nwauth command line

sub SetUser
   my($username,$password,$infogroup) = @_;   
   my($cmdline) = '';
   my($response) = '';
   $cmdline = "nwauth "."- 
set "."$username\@itotal.net "."$password "."$infogroup";
   # untaint
   $cmdline =~ /^([\w\/\s\-\@\.\"\\\=\,\#]+)$/;
   $response = `$1`;
   if($response =~ /^(\+OK)/)
      { return($response); }

Comment 3 Michael Schwendt 2001-08-19 14:39:39 UTC
WRT the setuid Perl/bash thing, check out bug #44001, too.

Comment 4 jra 2001-08-28 17:59:49 UTC
Two comments here. First WRT the setuid being disallowed, we disagree with 
RedHat as it is the system administrator who should make that decision.

Second, the workaround for those who need it is to edit the first line in all 
the system scripts to #!/bin/bash as they use bash anyway.  Then copy an older 
copy of bash (from 6.2) into the bin directory naming it bash1.  Finally change 
the sh link in the bin directory to point to bash1 instead of bash.  These 
steps eliminate both of the above problems.


Comment 5 Bernhard Rosenkraenzer 2002-02-12 17:35:16 UTC
This feature is not specific to Red Hat Linux (it's in bash 2.x base), if you don't like 
it, use bash -p.