Bug 56537 - processes created by system() don't inherit euid
Summary: processes created by system() don't inherit euid
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: perl
Version: 7.2
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Crutcher Dunnavant
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords: Security
: 38610 44001 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-11-20 18:28 UTC by Scott Hankin
Modified: 2007-04-18 16:38 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2001-11-28 17:35:35 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Scott Hankin 2001-11-20 18:28:07 UTC 
From Bugzilla Helper:

User-Agent: Mozilla/4.0 (compatible; MSIE 5.12; Mac_PowerPC)



Description of problem:

Consider the following perl script

print "My uid is $>\n";
$> = 100;
print "Now my uid is $>\n";
system("echo 'Hello, world!' > /var/tmp/hworld

When run as root, the uid is changed for the perl process, but
the file created by the system() call is owned by root.



Version-Release number of selected component (if applicable):





How reproducible:

Always



Steps to Reproduce:

1. See above example

2.

3.

	



Actual Results:  hworld is owned by root



Expected Results:  hworld is owned by user 100



Additional info:

Linux is the only platform this occurs on.  Solaris, DEC Unix, SGI, AIX, 
Unixware, Mac OS X (BSD) - all create a file owned by the efffective 
uid of the perl process.

This could be a security problem is the root user runs a perl script 
expecting the files created to be owned by some other user, but 
instead they are owned by root.  If the files were executables, and had 
the suid bit set, the ownership by root would be a serious problem.

This problem is in 7.0 and 7.1 as well.
Comment 1 Radu Greab 2001-11-27 11:38:15 UTC 
This is a not a bug in Perl, but a "feature" of bash.

Because the argument to system contains shell metacharacters, the argument is
passed to /bin/sh, which is bash, for parsing. Bash sees that the effective
user id is different than the real user id and it changes back the effective
UID to the real UID, thus the child process runs as root and the file's owner
is root. Bash won't change the effective UID if the parameter -p is given, so
your code will work as expected if you use the following statement:

system("/bin/sh", "-p", "-c", "echo 'Hello, world!' > /var/tmp/hworld")
Comment 2 Scott Hankin 2001-11-28 17:35:29 UTC 
Thanks, Radu.  I was able to explain the bug because of this info, and your
suggested fix did indeed work on Linux.  However, because the script is used on
a variety of platforms, and the -p switch isn't recognized by the shells on all
of them, I wound up calling the system() function without the redirection
characters, and doing the redirection from within Perl.

Clearly, this isn't a Perl bug, or a bug at all, actually.  It should be closed.
Comment 3 Chip Turner 2003-04-11 20:36:09 UTC 
*** Bug 44001 has been marked as a duplicate of this bug. ***
Comment 4 Chip Turner 2003-04-11 20:36:14 UTC 
*** Bug 38610 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.