Bug 44001 - perl suid script in Apache
perl suid script in Apache
Status: CLOSED DUPLICATE of bug 56537
Product: Red Hat Linux
Classification: Retired
Component: perl (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Chip Turner
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-06-08 14:37 EDT by Renato
Modified: 2007-04-18 12:33 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-02-21 13:48:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Renato 2001-06-08 14:37:34 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
Depending on how the suid is created it doesn't run as root.

How reproducible:
Always

Steps to Reproduce:
1. Script:
#!/usr/bin/perl -U

print "Content-type: text/html;\n\n";
$output = `/usr/bin/whoami`;
$output2 = `/usr/bin/whoami && /usr/bin/whoami`;

print $output . "<BR>";
print $output2 . "<BR>";

2. chmod 4711 test.pl

3. put it under web tree.

4. output in Red Hat 6.2:
root
root root

output in Red Hat 7.1
root
apache apache

Running all standard packages. clean installation of Red Hat 7.1
	

Actual Results:  output in Red Hat 7.1
root
apache apache


Expected Results:  output in Red Hat 7.1
root
root root

Additional info:
Comment 1 Renato 2001-06-13 09:25:22 EDT
I think I found the source of the problem. This is definitely a problem with 
bash. I did a test and upgraded a 6.2 machine to bash-2.04-21 from Red Hat 7.1 
and it stopped working.

I also tried bash-2.05-5 from Raw Hide but it didn't fixed the problem.
Comment 2 Michael Schwendt 2001-06-15 14:51:24 EDT
Apache of Red Hat Linux 7.1 has suEXEC enabled. You are not allowed to execute
as the Superuser and/or execute setuid/setgid scripts/binaries. Consult Apache's
suEXEC manual.

Comment 3 Renato 2001-06-18 12:50:11 EDT
The problem is not with apache. If you run this script in a shell prompt ( 
bash2 ) you get the result described above.
Comment 4 Michael Schwendt 2001-06-18 16:02:19 EDT
(I was misguided by your summary mentioning Apache. Hence I thought running the
script via Apache was involved. I couldn't see how you would get user name
"apache".)

I can reproduce it now. Try this:

  cd /bin
  rm sh
  ln -s ash sh

Or this (test.sh)

  #! /bin/ash
  whoami

and add

  $output3 = `test.sh`;
  print $output3;

to your perl script. When using /bin/ash as opposed to /bin/bash, you get "root"
in all cases. Perl passes your compound commands on to "sh -c":

  sh -c /usr/bin/whoami && /usr/bin/whoami

Bash doesn't like to execute that setuid. So, this should be assigned to
component "bash", not "perl".
Comment 5 gman 2001-07-08 03:33:29 EDT
I am having the same problem. Where apache is determined not to used as 
whatever user is of the the suid'ed script. I have tried disabling suexec perl 
apache's suexec manual by removing /usr/sbin/suexec on redhat 7.1.
I even used /usr/bin/suidperl instead of just /usr/bin/perl.. still the same..
this work in 6.2.. sigh..
Comment 6 Radu Greab 2001-11-27 07:02:23 EST
Indeed, this is rather a bash problem as described in bug 56537. A workaround
to obtain the correct result in $output2 would be to replace

$output2 = `/usr/bin/whoami && /usr/bin/whoami`;

with

die "Can't fork: $!" unless defined ($pid = open(KID, "-|"));
if ($pid) {
    $output2 = join("", <KID>);
    close KID;
} else {
    exec "/bin/sh", "-p", "-c", "/usr/bin/whoami && /usr/bin/whoami"
	or die "can't exec program: $!";
}
Comment 7 Chip Turner 2003-04-11 16:36:06 EDT

*** This bug has been marked as a duplicate of 56537 ***
Comment 8 Red Hat Bugzilla 2006-02-21 13:48:01 EST
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.