Red Hat Bugzilla – Bug 116191
No setuid perl script support
Last modified: 2007-11-30 17:07:00 EST
The perl-5.8.0-88.4 SRPM from RHEL3 builds perl with setuid script
support, but then the built perl-suidperl RPM is not included. So,
setuid perl scripts are broken, and (since perl thinks they should
work) the error messages is less than obvious about what is wrong.
There are several solutions:
1. Stop building with setuid script support. This sucks, because I
have (carefully written) scripts in place that use perl's setuid
support. There is no easy replacement, except to go write a bunch of
C wrappers (which would probably be less secure, as it is easy to make
mistakes doing that).
2. Include the perl-suidperl RPM. Is there a reason why this isn't
3. Change the Linux kernel to support secure setuid scripts. This
would be the ideal fix, as more than just perl would benefit. I see
that this topic comes up every once in a while, and one argument
against the kernel doing it is "well, the only safe setuid script
language is perl, and it does it itself already" (which is now not the
case under RHEL3). It seems to me that this is a case of the kernel
enforcing policy, which seems to be opposite to the standard Linux way.
I think it was intended to be in there but just got lost on its way:
# rpm --redhatprovides /usr/bin/suidperl
# up2date perl-suidperl
The following packages you requested were not found:
isn't this a duplicate of bug 112255
More or less - I missed it because I looked for bugs against "perl"
instead of "distribution".
I still think the ideal solution would be to change the kernel to
handle setuid scripts. It isn't a big change (and then there'd be no
need for sperl).
Scripts using various unsafe programs that are not intended to run
SUID root at least. So I dont't believe that there will be kernel
with scripts SUID bit support.
Is there any need to keep this report open, or can it be closed a
duplicate from bug 112255?
I see that perl-suidperl is in the update 3 beta. Thanks.