The perl-5.8.0-88.4 SRPM from RHEL3 builds perl with setuid script support, but then the built perl-suidperl RPM is not included. So, setuid perl scripts are broken, and (since perl thinks they should work) the error messages is less than obvious about what is wrong. There are several solutions: 1. Stop building with setuid script support. This sucks, because I have (carefully written) scripts in place that use perl's setuid support. There is no easy replacement, except to go write a bunch of C wrappers (which would probably be less secure, as it is easy to make mistakes doing that). 2. Include the perl-suidperl RPM. Is there a reason why this isn't there now? 3. Change the Linux kernel to support secure setuid scripts. This would be the ideal fix, as more than just perl would benefit. I see that this topic comes up every once in a while, and one argument against the kernel doing it is "well, the only safe setuid script language is perl, and it does it itself already" (which is now not the case under RHEL3). It seems to me that this is a case of the kernel enforcing policy, which seems to be opposite to the standard Linux way.
I think it was intended to be in there but just got lost on its way: # rpm --redhatprovides /usr/bin/suidperl perl-suidperl-5.8.0-88.4 # up2date perl-suidperl The following packages you requested were not found: perl-suidperl
isn't this a duplicate of bug 112255
More or less - I missed it because I looked for bugs against "perl" instead of "distribution". I still think the ideal solution would be to change the kernel to handle setuid scripts. It isn't a big change (and then there'd be no need for sperl).
Scripts using various unsafe programs that are not intended to run SUID root at least. So I dont't believe that there will be kernel with scripts SUID bit support.
Is there any need to keep this report open, or can it be closed a duplicate from bug 112255?
I see that perl-suidperl is in the update 3 beta. Thanks.