Bug 44001

Summary: perl suid script in Apache
Product: [Retired] Red Hat Linux Reporter: Renato <renato>
Component: perlAssignee: Chip Turner <cturner>
Status: CLOSED DUPLICATE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: bugs.michael, gman
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-21 18:48:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renato 2001-06-08 18:37:34 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
Depending on how the suid is created it doesn't run as root.

How reproducible:
Always

Steps to Reproduce:
1. Script:
#!/usr/bin/perl -U

print "Content-type: text/html;\n\n";
$output = `/usr/bin/whoami`;
$output2 = `/usr/bin/whoami && /usr/bin/whoami`;

print $output . "<BR>";
print $output2 . "<BR>";

2. chmod 4711 test.pl

3. put it under web tree.

4. output in Red Hat 6.2:
root
root root

output in Red Hat 7.1
root
apache apache

Running all standard packages. clean installation of Red Hat 7.1
	

Actual Results:  output in Red Hat 7.1
root
apache apache


Expected Results:  output in Red Hat 7.1
root
root root

Additional info:
Comment 1 Renato 2001-06-13 13:25:22 UTC 
I think I found the source of the problem. This is definitely a problem with 
bash. I did a test and upgraded a 6.2 machine to bash-2.04-21 from Red Hat 7.1 
and it stopped working.

I also tried bash-2.05-5 from Raw Hide but it didn't fixed the problem.
Comment 2 Michael Schwendt 2001-06-15 18:51:24 UTC 
Apache of Red Hat Linux 7.1 has suEXEC enabled. You are not allowed to execute
as the Superuser and/or execute setuid/setgid scripts/binaries. Consult Apache's
suEXEC manual.
Comment 3 Renato 2001-06-18 16:50:11 UTC 
The problem is not with apache. If you run this script in a shell prompt ( 
bash2 ) you get the result described above.
Comment 4 Michael Schwendt 2001-06-18 20:02:19 UTC 
(I was misguided by your summary mentioning Apache. Hence I thought running the
script via Apache was involved. I couldn't see how you would get user name
"apache".)

I can reproduce it now. Try this:

  cd /bin
  rm sh
  ln -s ash sh

Or this (test.sh)

  #! /bin/ash
  whoami

and add

  $output3 = `test.sh`;
  print $output3;

to your perl script. When using /bin/ash as opposed to /bin/bash, you get "root"
in all cases. Perl passes your compound commands on to "sh -c":

  sh -c /usr/bin/whoami && /usr/bin/whoami

Bash doesn't like to execute that setuid. So, this should be assigned to
component "bash", not "perl".
Comment 5 gman 2001-07-08 07:33:29 UTC 
I am having the same problem. Where apache is determined not to used as 
whatever user is of the the suid'ed script. I have tried disabling suexec perl 
apache's suexec manual by removing /usr/sbin/suexec on redhat 7.1.
I even used /usr/bin/suidperl instead of just /usr/bin/perl.. still the same..
this work in 6.2.. sigh..
Comment 6 Radu Greab 2001-11-27 12:02:23 UTC 
Indeed, this is rather a bash problem as described in bug 56537. A workaround
to obtain the correct result in $output2 would be to replace

$output2 = `/usr/bin/whoami && /usr/bin/whoami`;

with

die "Can't fork: $!" unless defined ($pid = open(KID, "-|"));
if ($pid) {
    $output2 = join("", <KID>);
    close KID;
} else {
    exec "/bin/sh", "-p", "-c", "/usr/bin/whoami && /usr/bin/whoami"
	or die "can't exec program: $!";
}
Comment 7 Chip Turner 2003-04-11 20:36:06 UTC 

*** This bug has been marked as a duplicate of 56537 ***
Comment 8 Red Hat Bugzilla 2006-02-21 18:48:01 UTC 
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.