Bug 116191

Summary: No setuid perl script support
Product: Red Hat Enterprise Linux 3 Reporter: Chris Adams <linux>
Component: perlAssignee: Chip Turner <cturner>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: leonard-rh-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-07-22 21:18:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Adams 2004-02-18 21:02:17 UTC 
The perl-5.8.0-88.4 SRPM from RHEL3 builds perl with setuid script
support, but then the built perl-suidperl RPM is not included.  So,
setuid perl scripts are broken, and (since perl thinks they should
work) the error messages is less than obvious about what is wrong.

There are several solutions:

1. Stop building with setuid script support.  This sucks, because I
have  (carefully written) scripts in place that use perl's setuid
support.  There is no easy replacement, except to go write a bunch of
C wrappers (which would probably be less secure, as it is easy to make
mistakes doing that).

2. Include the perl-suidperl RPM.  Is there a reason why this isn't
there now?

3. Change the Linux kernel to support secure setuid scripts.  This
would be the ideal fix, as more than just perl would benefit.  I see
that this topic comes up every once in a while, and one argument
against the kernel doing it is "well, the only safe setuid script
language is perl, and it does it itself already" (which is now not the
case under RHEL3).  It seems to me that this is a case of the kernel
enforcing policy, which seems to be opposite to the standard Linux way.
Comment 1 Geoffrey D. Bennett 2004-02-26 07:09:50 UTC 
I think it was intended to be in there but just got lost on its way:

# rpm --redhatprovides /usr/bin/suidperl
perl-suidperl-5.8.0-88.4
# up2date perl-suidperl
The following packages you requested were not found:
perl-suidperl
Comment 2 Martin Roest 2004-03-04 15:37:08 UTC 
isn't this a duplicate of bug 112255
Comment 3 Chris Adams 2004-03-04 15:40:34 UTC 
More or less - I missed it because I looked for bugs against "perl"
instead of "distribution".

I still think the ideal solution would be to change the kernel to
handle setuid scripts.  It isn't a big change (and then there'd be no
need for sperl).
Comment 4 Milan Kerslager 2004-04-14 09:20:49 UTC 
Scripts using various unsafe programs that are not intended to run 
SUID root at least. So I dont't believe that there will be kernel 
with scripts SUID bit support.
Comment 5 Leonard den Ottolander 2004-04-21 17:33:54 UTC 
Is there any need to keep this report open, or can it be closed a
duplicate from bug 112255?
Comment 6 Chris Adams 2004-07-22 21:18:26 UTC 
I see that perl-suidperl is in the update 3 beta.  Thanks.