Red Hat Bugzilla – Bug 56537
processes created by system() don't inherit euid
Last modified: 2007-04-18 12:38:22 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.12; Mac_PowerPC)
Description of problem:
Consider the following perl script
print "My uid is $>\n";
$> = 100;
print "Now my uid is $>\n";
system("echo 'Hello, world!' > /var/tmp/hworld
When run as root, the uid is changed for the perl process, but
the file created by the system() call is owned by root.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. See above example
Actual Results: hworld is owned by root
Expected Results: hworld is owned by user 100
Linux is the only platform this occurs on. Solaris, DEC Unix, SGI, AIX,
Unixware, Mac OS X (BSD) - all create a file owned by the efffective
uid of the perl process.
This could be a security problem is the root user runs a perl script
expecting the files created to be owned by some other user, but
instead they are owned by root. If the files were executables, and had
the suid bit set, the ownership by root would be a serious problem.
This problem is in 7.0 and 7.1 as well.
This is a not a bug in Perl, but a "feature" of bash.
Because the argument to system contains shell metacharacters, the argument is
passed to /bin/sh, which is bash, for parsing. Bash sees that the effective
user id is different than the real user id and it changes back the effective
UID to the real UID, thus the child process runs as root and the file's owner
is root. Bash won't change the effective UID if the parameter -p is given, so
your code will work as expected if you use the following statement:
system("/bin/sh", "-p", "-c", "echo 'Hello, world!' > /var/tmp/hworld")
Thanks, Radu. I was able to explain the bug because of this info, and your
suggested fix did indeed work on Linux. However, because the script is used on
a variety of platforms, and the -p switch isn't recognized by the shells on all
of them, I wound up calling the system() function without the redirection
characters, and doing the redirection from within Perl.
Clearly, this isn't a Perl bug, or a bug at all, actually. It should be closed.
*** Bug 44001 has been marked as a duplicate of this bug. ***
*** Bug 38610 has been marked as a duplicate of this bug. ***