Bug 56537 - processes created by system() don't inherit euid
processes created by system() don't inherit euid
Product: Red Hat Linux
Classification: Retired
Component: perl (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Crutcher Dunnavant
David Lawrence
: Security
: 38610 44001 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2001-11-20 13:28 EST by Scott Hankin
Modified: 2007-04-18 12:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-11-28 12:35:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Scott Hankin 2001-11-20 13:28:07 EST
From Bugzilla Helper:

User-Agent: Mozilla/4.0 (compatible; MSIE 5.12; Mac_PowerPC)

Description of problem:

Consider the following perl script

print "My uid is $>\n";
$> = 100;
print "Now my uid is $>\n";
system("echo 'Hello, world!' > /var/tmp/hworld

When run as root, the uid is changed for the perl process, but
the file created by the system() call is owned by root.

Version-Release number of selected component (if applicable):

How reproducible:


Steps to Reproduce:

1. See above example




Actual Results:  hworld is owned by root

Expected Results:  hworld is owned by user 100

Additional info:

Linux is the only platform this occurs on.  Solaris, DEC Unix, SGI, AIX, 
Unixware, Mac OS X (BSD) - all create a file owned by the efffective 
uid of the perl process.

This could be a security problem is the root user runs a perl script 
expecting the files created to be owned by some other user, but 
instead they are owned by root.  If the files were executables, and had 
the suid bit set, the ownership by root would be a serious problem.

This problem is in 7.0 and 7.1 as well.
Comment 1 Radu Greab 2001-11-27 06:38:15 EST
This is a not a bug in Perl, but a "feature" of bash.

Because the argument to system contains shell metacharacters, the argument is
passed to /bin/sh, which is bash, for parsing. Bash sees that the effective
user id is different than the real user id and it changes back the effective
UID to the real UID, thus the child process runs as root and the file's owner
is root. Bash won't change the effective UID if the parameter -p is given, so
your code will work as expected if you use the following statement:

system("/bin/sh", "-p", "-c", "echo 'Hello, world!' > /var/tmp/hworld")
Comment 2 Scott Hankin 2001-11-28 12:35:29 EST
Thanks, Radu.  I was able to explain the bug because of this info, and your
suggested fix did indeed work on Linux.  However, because the script is used on
a variety of platforms, and the -p switch isn't recognized by the shells on all
of them, I wound up calling the system() function without the redirection
characters, and doing the redirection from within Perl.

Clearly, this isn't a Perl bug, or a bug at all, actually.  It should be closed.
Comment 3 Chip Turner 2003-04-11 16:36:09 EDT
*** Bug 44001 has been marked as a duplicate of this bug. ***
Comment 4 Chip Turner 2003-04-11 16:36:14 EDT
*** Bug 38610 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.