Bug 44001 - perl suid script in Apache
Summary: perl suid script in Apache
Keywords:
Status: CLOSED DUPLICATE of bug 56537
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: perl
Version: 7.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Chip Turner
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-06-08 18:37 UTC by Renato
Modified: 2007-04-18 16:33 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-02-21 18:48:01 UTC


Attachments (Terms of Use)

Description Renato 2001-06-08 18:37:34 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
Depending on how the suid is created it doesn't run as root.

How reproducible:
Always

Steps to Reproduce:
1. Script:
#!/usr/bin/perl -U

print "Content-type: text/html;\n\n";
$output = `/usr/bin/whoami`;
$output2 = `/usr/bin/whoami && /usr/bin/whoami`;

print $output . "<BR>";
print $output2 . "<BR>";

2. chmod 4711 test.pl

3. put it under web tree.

4. output in Red Hat 6.2:
root
root root

output in Red Hat 7.1
root
apache apache

Running all standard packages. clean installation of Red Hat 7.1
	

Actual Results:  output in Red Hat 7.1
root
apache apache


Expected Results:  output in Red Hat 7.1
root
root root

Additional info:

Comment 1 Renato 2001-06-13 13:25:22 UTC
I think I found the source of the problem. This is definitely a problem with 
bash. I did a test and upgraded a 6.2 machine to bash-2.04-21 from Red Hat 7.1 
and it stopped working.

I also tried bash-2.05-5 from Raw Hide but it didn't fixed the problem.

Comment 2 Michael Schwendt 2001-06-15 18:51:24 UTC
Apache of Red Hat Linux 7.1 has suEXEC enabled. You are not allowed to execute
as the Superuser and/or execute setuid/setgid scripts/binaries. Consult Apache's
suEXEC manual.



Comment 3 Renato 2001-06-18 16:50:11 UTC
The problem is not with apache. If you run this script in a shell prompt ( 
bash2 ) you get the result described above.

Comment 4 Michael Schwendt 2001-06-18 20:02:19 UTC
(I was misguided by your summary mentioning Apache. Hence I thought running the
script via Apache was involved. I couldn't see how you would get user name
"apache".)

I can reproduce it now. Try this:

  cd /bin
  rm sh
  ln -s ash sh

Or this (test.sh)

  #! /bin/ash
  whoami

and add

  $output3 = `test.sh`;
  print $output3;

to your perl script. When using /bin/ash as opposed to /bin/bash, you get "root"
in all cases. Perl passes your compound commands on to "sh -c":

  sh -c /usr/bin/whoami && /usr/bin/whoami

Bash doesn't like to execute that setuid. So, this should be assigned to
component "bash", not "perl".


Comment 5 gman 2001-07-08 07:33:29 UTC
I am having the same problem. Where apache is determined not to used as 
whatever user is of the the suid'ed script. I have tried disabling suexec perl 
apache's suexec manual by removing /usr/sbin/suexec on redhat 7.1.
I even used /usr/bin/suidperl instead of just /usr/bin/perl.. still the same..
this work in 6.2.. sigh..

Comment 6 Radu Greab 2001-11-27 12:02:23 UTC
Indeed, this is rather a bash problem as described in bug 56537. A workaround
to obtain the correct result in $output2 would be to replace

$output2 = `/usr/bin/whoami && /usr/bin/whoami`;

with

die "Can't fork: $!" unless defined ($pid = open(KID, "-|"));
if ($pid) {
    $output2 = join("", <KID>);
    close KID;
} else {
    exec "/bin/sh", "-p", "-c", "/usr/bin/whoami && /usr/bin/whoami"
	or die "can't exec program: $!";
}

Comment 7 Chip Turner 2003-04-11 20:36:06 UTC

*** This bug has been marked as a duplicate of 56537 ***

Comment 8 Red Hat Bugzilla 2006-02-21 18:48:01 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.


Note You need to log in before you can comment on or make changes to this bug.