[CentOS] Problem running a setuid Perl script on CentOS 4.5

Fri Nov 16 16:19:39 UTC 2007
Brian Mathis <brian.mathis at gmail.com>

On Nov 16, 2007 11:16 AM, James Olin Oden <james.oden at gmail.com> wrote:
> On 11/16/07, Alfred von Campe <alfred at von-campe.com> wrote:
> > On Nov 16, 2007, at 9:55, Marc Wiatrowski wrote:
> >
> > > Being aware of the security implications, do you have
> > > perl-suidperl-X.rpm installed?
> >
> > I meant I was aware of the implications of running setuid scripts.  I
> > was not aware that CentOS' upstream provider had packaged suidperl
> > separately.  Installing this package solved my problem.  However, I
> > am pursuing an sudo solution at the moment that may work even better
> > for me.
> >
> setuid scripts are not by their nature bad as some would propose.  As
> a matter of fact without using a system with mandetory access controls
> like SELinux, they can be effective tools to enhance overal security
> provided you follow some simple
> guidelines quite rigorously:
>    - As soon as you start de-elevate your privileges.
>    - Only elevate your privileges for as long as you need to (as an example
>      one may need root to open certain files, but once its opened you do
>      not need root to read and write the file).
>    - Try to keep the setuid program as simple as possible.  If there
> is a point where
>      it can throw away its privileges forever then do so.
>    - Be very rigorous in determining that a user in the current
> context they are in
>      should be using the setuid script.
> I think the key word in alll that is "rigor" and though not used, "aware".
> Cheers...james

Good suggestions.  Also keep in mind that you don't always suid to
root.  You can also suid to another user (which seems to be the case