develooper Front page | perl.perl5.porters | Postings from October 2003

Re: Is this brokenness in $< $( $> & $) ?

Thread Previous
From:
Rick Delaney
Date:
October 27, 2003 10:46
Subject:
Re: Is this brokenness in $< $( $> & $) ?
Message ID:
20031027134547.F2233@biff.bort.ca
On Mon, Oct 27, 2003 at 04:53:11PM +0000, Alan Burlison wrote:
> For some reason I haven't been able to fathom,
>     $) = $EGID;
>     $> = $EUID;
> is NOT the equivalelent of
>     ($), $>) = ($EUID, $EGID);
> when running a setuid-root script, at least on Solaris and I suspect on all 
> platforms which support setreuid/setregid.  In the list assignment case, 
> perl uses setreuid/setregid instead of serial calls to seteuid/setegid and 
> it gets the first parameter wrong:
> 
> setreuid(37845, 37845)				= 0
> :
> setregid(10, 10)				= 0
> 
> In this case, by specifying the uid of the invoking user as the first 
> parameter, perl is giving up root privilege, and therefore the ability to 
> set the euid/egid back to root at some future point.  Am I going mad, or is 
> this broken?  I can't see why a list assignment should result in different 
> system calls to a serial assignment.

I believe this is deliberate so that

   ($<, $>) = ($>, $<);

will call setreuid if available.  The detection for this case must be
getting confused by your

     ($), $>) = ($EUID, $EGID);

so yes, either change you propose below should fix it.

> According to the setreuid/setregid manpages, the first parameter (real 
> uid/gid) should be -1 to specify 'no change'.  Either that, or perl should 
> use seteuid/setegid instead of setreuid/setregid, which is what is does in 
> the serial assignment case.

-- 
Rick Delaney
rick@bort.ca

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About