Skip Menu |
Report information
Id: 74142
Status: resolved
Priority: 0/
Queue: perl5

Owner: tonyc <tony [at] develop-help.com>
Requestors: jquelin [at] gmail.com
Cc:
AdminCc:

Operating System: Linux
PatchStatus: (no value)
Severity: low
Type:
Perl Version: 5.12.0
Fixed In: (no value)



Subject: provide a better c wrapper example in perlsec
Date: Thu, 8 Apr 2010 17:06:07 +0200 (CEST)
To: perlbug [...] perl.org
From: jquelin [...] gmail.com (Jerome Quelin)
This is a bug report for perl from jquelin@gmail.com, generated with the help of perlbug 1.39 running under perl 5.12.0. ----------------------------------------------------------------- [Please describe your issue here] perl 5.12 doesn't ship perlsuid anymore. it's said so in perlsec, with a small piece of a c code to use as a wrapper calling the real perl script, the goal being to setuid the wrapper instead. however, the wrapper could be better, such as sanitizing env, or whatever any security-aware people will recommend. ==> in order to have a smooth transition, it would be good to provide a more secure wrapper to be used easily. [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=docs severity=low --- Site configuration information for perl 5.12.0: Configured by Mandriva at Thu Apr 8 16:20:55 CEST 2010. Summary of my perl5 (revision 5 version 12 subversion 0) configuration: Platform: osname=linux, osvers=2.6.33.1-desktop-1mnb, archname=x86_64-linux-thread-multi uname='linux localhost 2.6.33.1-desktop-1mnb #1 smp tue mar 16 18:22:58 utc 2010 x86_64 x86_64 x86_64 gnulinux ' config_args='-des -Dinc_version_list=5.10.1 5.10.0 5.8.8 5.8.7 5.8.6 5.8.5 5.8.4 5.8.3 5.8.2 5.8.1 5.8.0 5.6.1 5.6.0 -Darchname=x86_64-linux -Dcc=x86_64-mandriva-linux-gnu-gcc -Doptimize=-O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -DDEBUGGING=-g -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr -Dsitebin=/usr/local/bin -Dsiteman1dir=/usr/local/share/man/man1 -Dsiteman3dir=/usr/local/share/man/man3 -Dman3ext=3pm -Dcf_by=Mandriva -Dmyhostname=localhost -Dperladmin=root@localhost -Dcf_email=root@localhost -Ud_csh -Duseshrplib -Duseithreads -Di_db -Di_ndbm -Di_gdbm' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='x86_64-mandriva-linux-gnu-gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4', cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include' ccversion='', gccversion='4.4.3', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='x86_64-mandriva-linux-gnu-gcc', ldflags =' -fstack-protector -L/usr/local/lib64' libpth=/usr/local/lib64 /lib64 /usr/lib64 libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc libc=/lib/libc-2.11.1.so, so=so, useshrplib=true, libperl=libperl.so gnulibc_version='2.11.1' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/5.12.0/x86_64-linux-thread-multi/CORE' cccdlflags='-fPIC', lddlflags='-shared -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -L/usr/local/lib64' Locally applied patches: RC4 Mandriva Linux patches --- @INC for perl 5.12.0: /home/jquelin/rpm/cooker/perl/BUILD/perl-5.12.0-RC4/lib /usr/lib/perl5/site_perl/5.12.0/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.12.0 /usr/lib/perl5/vendor_perl/5.12.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.12.0 /usr/lib/perl5/5.12.0/x86_64-linux-thread-multi /usr/lib/perl5/5.12.0 /usr/lib/perl5/site_perl/5.10.1 /usr/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.10.1 /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl . --- Environment for perl 5.12.0: HOME=/home/jquelin LANG=fr_FR.UTF-8 LANGUAGE=fr_FR.UTF-8:fr LC_ADDRESS=fr_FR.UTF-8 LC_COLLATE=fr_FR.UTF-8 LC_CTYPE=fr_FR.UTF-8 LC_IDENTIFICATION=fr_FR.UTF-8 LC_MEASUREMENT=fr_FR.UTF-8 LC_MESSAGES=fr_FR.UTF-8 LC_MONETARY=fr_FR.UTF-8 LC_NAME=fr_FR.UTF-8 LC_NUMERIC=fr_FR.UTF-8 LC_PAPER=fr_FR.UTF-8 LC_SOURCED=1 LC_TELEPHONE=fr_FR.UTF-8 LC_TIME=fr_FR.UTF-8 LD_LIBRARY_PATH=. LOGDIR (unset) PATH=.:/home/jquelin/bin:/home/jquelin/bin:/home/jquelin/bin:/home/jquelin/bin:/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin/:/usr/games:/usr/lib/qt4/bin:/sbin:/usr/sbin:/usr/games:/sbin:/usr/sbin:/usr/games:/sbin:/usr/sbin:/usr/games:/sbin:/usr/sbin:/usr/games PERL5LIB=/home/jquelin/rpm/cooker/perl/BUILD/perl-5.12.0-RC4/lib PERL_BADLANG (unset) SHELL=/bin/bash
Download (untitled) / with headers
text/plain 144b
Hmm, that wrapper example has been there since about 1996, and still uses K&R arg conventions! Definitely a good idea to improve it now, though.
Subject: Re: [perl #74142] provide a better c wrapper example in perlsec
Date: Fri, 9 Apr 2010 12:24:35 +0100
To: perl5-porters [...] perl.org
From: Zefram <zefram [...] fysh.org>
Download (untitled) / with headers
text/plain 155b
Jerome Quelin wrote: Show quoted text
>however, the wrapper could be better,
I think we should be promoting the use of sudo, before suggesting a custom wrapper. -zefram
CC: perl5-porters [...] perl.org
Subject: Re: [perl #74142] provide a better c wrapper example in perlsec
Date: Fri, 9 Apr 2010 10:11:30 -0400
To: Zefram <zefram [...] fysh.org>
From: Jesse Vincent <jesse [...] fsck.com>
Download (untitled) / with headers
text/plain 238b
On Fri, Apr 09, 2010 at 12:24:35PM +0100, Zefram wrote: Show quoted text
> Jerome Quelin wrote:
> >however, the wrapper could be better,
> > I think we should be promoting the use of sudo, before suggesting a > custom wrapper.
+1 Show quoted text
> > -zefram
--
To: perl5-porters [...] perl.org
Date: Mon, 11 Dec 2017 00:34:05 +0000
From: Zefram <zefram [...] fysh.org>
Subject: Re: [perl #74142] provide a better c wrapper example in perlsec
Download (untitled) / with headers
text/plain 403b
The C wrapper code is actually fine as it is: its purpose is to avoid the shebang race condition, not to sanitise other aspects of the environment. Much of perlsec is about how Perl is actually OK to run set-id. However, the documentation about the race condition and the wrapper was poor. I've revised it, and added a section about sudo, in commit b5145c7d479fcfcb104fc6d3d89b4d757ca3cd15. -zefram
Download (untitled) / with headers
text/plain 317b
Thank you for filing this report. You have helped make Perl better. With the release yesterday of Perl 5.28.0, this and 185 other issues have been resolved. Perl 5.28.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.28.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org