[CentOS] Problem running a setuid Perl script on CentOS 4.5
James Olin Oden
james.oden at gmail.com
Fri Nov 16 16:16:09 UTC 2007
On 11/16/07, Alfred von Campe <alfred at von-campe.com> wrote:
> On Nov 16, 2007, at 9:55, Marc Wiatrowski wrote:
> > Being aware of the security implications, do you have
> > perl-suidperl-X.rpm installed?
> I meant I was aware of the implications of running setuid scripts. I
> was not aware that CentOS' upstream provider had packaged suidperl
> separately. Installing this package solved my problem. However, I
> am pursuing an sudo solution at the moment that may work even better
> for me.
setuid scripts are not by their nature bad as some would propose. As
a matter of fact without using a system with mandetory access controls
like SELinux, they can be effective tools to enhance overal security
provided you follow some simple
guidelines quite rigorously:
- As soon as you start de-elevate your privileges.
- Only elevate your privileges for as long as you need to (as an example
one may need root to open certain files, but once its opened you do
not need root to read and write the file).
- Try to keep the setuid program as simple as possible. If there
is a point where
it can throw away its privileges forever then do so.
- Be very rigorous in determining that a user in the current
context they are in
should be using the setuid script.
I think the key word in alll that is "rigor" and though not used, "aware".
> CentOS mailing list
> CentOS at centos.org
More information about the CentOS