develooper Front page | perl.perl5.porters | Postings from September 2003

[perl #23801] security: setuid/taint inconsistency

From:
perlbug-followup
Date:
September 13, 2003 10:55
Subject:
[perl #23801] security: setuid/taint inconsistency
Message ID:
rt-23801-64559.4.81949512827626@rt.perl.org
# New Ticket Created by  neilus@dcs.kcl.ac.uk 
# Please include the string:  [perl #23801]
# in the subject line of all future correspondence about this issue. 
# <URL: http://rt.perl.org/rt2/Ticket/Display.html?id=23801 >


Is the following a bug?

On Linux you can write Perl code that can regain privilege but runs without
automatic taint checks, on Solaris you cannot.

On Linux (kernel 2.2/glibc 2.1.3 and kernel 2.4/glibc 2.3), perl 5.8.0, the
following completes successfully:

print "$< $>\n";
system "grep Uid /proc/$$/status";
($<, $>) = (99, 99);
print "$< $>\n";
system "grep Uid /proc/$$/status";
chdir `pwd`;
($<, $>) = (0, 0);
print "$< $>\n";
system "grep Uid /proc/$$/status";

while the following blows up with "Insecure dependency in chdir while running
with -T switch":

print "$< $>\n";
system "grep Uid /proc/$$/status";
($<, $>) = (99, -1);
($<, $>) = (-1, 99);
print "$< $>\n";
system "grep Uid /proc/$$/status";
chdir `pwd`;
($<, $>) = (-1, 0);
($<, $>) = (0, -1);
print "$< $>\n";
system "grep Uid /proc/$$/status";

In both cases you can see that the real, effective and saved uids compare at
all stages.

On Solaris 8, perl 5.8.0, if you run the two programs substituting 'system
"sudo pcred $$"' for 'system "grep Uid /proc/$$/status"' you should see that
the first program fails to regain privilege, while the second blows up as with
Linux.

I would expect the first program under Linux either to fail to regain privilege
or blow up on chdir because privilege is regainable.

All programs are run as root (not setuid root).




nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About