[CentOS] Problem running a setuid Perl script on CentOS 4.5

Brian Mathis brian.mathis at gmail.com
Fri Nov 16 16:19:39 UTC 2007


On Nov 16, 2007 11:16 AM, James Olin Oden <james.oden at gmail.com> wrote:
> On 11/16/07, Alfred von Campe <alfred at von-campe.com> wrote:
> > On Nov 16, 2007, at 9:55, Marc Wiatrowski wrote:
> >
> > > Being aware of the security implications, do you have
> > > perl-suidperl-X.rpm installed?
> >
> > I meant I was aware of the implications of running setuid scripts.  I
> > was not aware that CentOS' upstream provider had packaged suidperl
> > separately.  Installing this package solved my problem.  However, I
> > am pursuing an sudo solution at the moment that may work even better
> > for me.
> >
> setuid scripts are not by their nature bad as some would propose.  As
> a matter of fact without using a system with mandetory access controls
> like SELinux, they can be effective tools to enhance overal security
> provided you follow some simple
> guidelines quite rigorously:
>
>    - As soon as you start de-elevate your privileges.
>    - Only elevate your privileges for as long as you need to (as an example
>      one may need root to open certain files, but once its opened you do
>      not need root to read and write the file).
>    - Try to keep the setuid program as simple as possible.  If there
> is a point where
>      it can throw away its privileges forever then do so.
>    - Be very rigorous in determining that a user in the current
> context they are in
>      should be using the setuid script.
>
> I think the key word in alll that is "rigor" and though not used, "aware".
>
> Cheers...james
>

Good suggestions.  Also keep in mind that you don't always suid to
root.  You can also suid to another user (which seems to be the case
here).



More information about the CentOS mailing list