Bug 51825
Summary: | Setuid and other Perl problems with bash | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | jra |
Component: | bash | Assignee: | Bernhard Rosenkraenzer <bero> |
Status: | CLOSED NOTABUG | QA Contact: | Aaron Brown <abrown> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 7.1 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2001-08-28 17:59:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
jra
2001-08-15 16:05:36 UTC
setuid: Not a bug, but a security feature. It is not safe to make scripts setuid root, therefore we disallow it. If you absolutely need a setuid root script, you have to write a wrapper, e.g. int main(int argc, char **argv) { setuid(0); seteuid(0); return system("your script"); } and make that setuid root. For the backtick problem, please attach a sample script so I can see what's going on, chances are it's another intentional change though (please check the bash documentation on new features in 2.x). Here are the lines from the Perl Script. The first set of lines are from a routine that formats the new user info line. The second set of lines make up the nwauth (the email authentication program) routine. $infogroup = "fwd=\"$fwd\" "."info=\"$info\" "."groups=\"$groups\""; $infogroup =~ s/\"/\\\"/g; ## backslashed parens needed for nwauth command line sub SetUser { my($username,$password,$infogroup) = @_; my($cmdline) = ''; my($response) = ''; $cmdline = "nwauth "."- set "."$username\@itotal.net "."$password "."$infogroup"; # untaint $cmdline =~ /^([\w\/\s\-\@\.\"\\\=\,\#]+)$/; $response = `$1`; if($response =~ /^(\+OK)/) { return($response); } return(''); } WRT the setuid Perl/bash thing, check out bug #44001, too. Two comments here. First WRT the setuid being disallowed, we disagree with RedHat as it is the system administrator who should make that decision. Second, the workaround for those who need it is to edit the first line in all the system scripts to #!/bin/bash as they use bash anyway. Then copy an older copy of bash (from 6.2) into the bin directory naming it bash1. Finally change the sh link in the bin directory to point to bash1 instead of bash. These steps eliminate both of the above problems. James This feature is not specific to Red Hat Linux (it's in bash 2.x base), if you don't like it, use bash -p. |