Bug 56537 – processes created by system() don't inherit euid

Bug 56537 - processes created by system() don't inherit euid

Summary:	processes created by system() don't inherit euid

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	perl (Show other bugs)
Sub Component:
Version:	7.2
Hardware:	i686 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Crutcher Dunnavant
QA Contact:	David Lawrence
Docs Contact:

URL:
Whiteboard:
Keywords:	Security

Duplicates:	38610 44001 (view as bug list)
Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2001-11-20 13:28 EST by Scott Hankin
Modified:	2007-04-18 12:38 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2001-11-28 12:35:35 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Scott Hankin 2001-11-20 13:28:07 EST

From Bugzilla Helper:

User-Agent: Mozilla/4.0 (compatible; MSIE 5.12; Mac_PowerPC)



Description of problem:

Consider the following perl script

print "My uid is $>\n";
$> = 100;
print "Now my uid is $>\n";
system("echo 'Hello, world!' > /var/tmp/hworld

When run as root, the uid is changed for the perl process, but
the file created by the system() call is owned by root.



Version-Release number of selected component (if applicable):





How reproducible:

Always



Steps to Reproduce:

1. See above example

2.

3.

	



Actual Results:  hworld is owned by root



Expected Results:  hworld is owned by user 100



Additional info:

Linux is the only platform this occurs on.  Solaris, DEC Unix, SGI, AIX, 
Unixware, Mac OS X (BSD) - all create a file owned by the efffective 
uid of the perl process.

This could be a security problem is the root user runs a perl script 
expecting the files created to be owned by some other user, but 
instead they are owned by root.  If the files were executables, and had 
the suid bit set, the ownership by root would be a serious problem.

This problem is in 7.0 and 7.1 as well.

Comment 1 Radu Greab 2001-11-27 06:38:15 EST

This is a not a bug in Perl, but a "feature" of bash.

Because the argument to system contains shell metacharacters, the argument is
passed to /bin/sh, which is bash, for parsing. Bash sees that the effective
user id is different than the real user id and it changes back the effective
UID to the real UID, thus the child process runs as root and the file's owner
is root. Bash won't change the effective UID if the parameter -p is given, so
your code will work as expected if you use the following statement:

system("/bin/sh", "-p", "-c", "echo 'Hello, world!' > /var/tmp/hworld")

Comment 2 Scott Hankin 2001-11-28 12:35:29 EST

Thanks, Radu.  I was able to explain the bug because of this info, and your
suggested fix did indeed work on Linux.  However, because the script is used on
a variety of platforms, and the -p switch isn't recognized by the shells on all
of them, I wound up calling the system() function without the redirection
characters, and doing the redirection from within Perl.

Clearly, this isn't a Perl bug, or a bug at all, actually.  It should be closed.

Comment 3 Chip Turner 2003-04-11 16:36:09 EDT

*** Bug 44001 has been marked as a duplicate of this bug. ***

Comment 4 Chip Turner 2003-04-11 16:36:14 EDT

*** Bug 38610 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.