Front page | perl.perl5.porters |
Postings from October 2003
On Mon, Oct 27, 2003 at 04:53:11PM +0000, Alan Burlison wrote:
> For some reason I haven't been able to fathom,
> $) = $EGID;
> $> = $EUID;
> is NOT the equivalelent of
> ($), $>) = ($EUID, $EGID);
> when running a setuid-root script, at least on Solaris and I suspect on all
> platforms which support setreuid/setregid. In the list assignment case,
> perl uses setreuid/setregid instead of serial calls to seteuid/setegid and
> it gets the first parameter wrong:
>
> setreuid(37845, 37845) = 0
> :
> setregid(10, 10) = 0
>
> In this case, by specifying the uid of the invoking user as the first
> parameter, perl is giving up root privilege, and therefore the ability to
> set the euid/egid back to root at some future point. Am I going mad, or is
> this broken? I can't see why a list assignment should result in different
> system calls to a serial assignment.
I believe this is deliberate so that
($<, $>) = ($>, $<);
will call setreuid if available. The detection for this case must be
getting confused by your
($), $>) = ($EUID, $EGID);
so yes, either change you propose below should fix it.
> According to the setreuid/setregid manpages, the first parameter (real
> uid/gid) should be -1 to specify 'no change'. Either that, or perl should
> use seteuid/setegid instead of setreuid/setregid, which is what is does in
> the serial assignment case.
--
Rick Delaney
rick@bort.ca
Thread Previous