Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

merlyn (47)

merlyn
  merlyn@stonehenge.com
http://www.stonehenge.com/merlyn/
AOL IM: realmerlyn (Add Buddy, Send Message)
Yahoo! ID: realmerlyn (Add User, Send Message)

PAUSE-ID: MERLYN [cpan.org].
See my home page [stonehenge.com].

Journal of merlyn (47)

Saturday December 17, 2005
03:11 PM

Broken security advisory (again)

[ #28037 ]
As found in this advisory (as well as being picked up a few other dozen places on the net):

The security issue is caused due to the Perl binary included with Mac OS X not correctly dropping privileges when a Perl application uses the "$< = numeric_id;" statement to set its uid. The issue may be caused due to wrong compilation options being selected when compiling the Perl binary.

What are these nutheads smoking? That variable doesn't control effective UID. It controls real UID, which has nothing to do with the effective privileges.

How do people get that messed up? I dunno. Maybe we need better books. {grin}

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • I don't understand the technical background behind the variables $<, $> , $( and $).

    Perhaps an idea for a column?

    Or perhaps you did one already, and I just don't know about it.

    My current solution is to simply stay away from writing or touching code that requires that knowledge. :)
  • The advisory itself is rather vague and unhelpful. I'm surprised it exists at all. However it does provide an excellent opportunity to talk about Unix privileges and Perl. Randal, I hope you don't mind me using your journal too much for this purpose. ;)

    Dropping privileges in Perl is notoriously hard, and stems primarily from the fact that most unix systems provide at least three flavours of uid (real, effective, and saved), whereas Perl provides only two (real and effective). The saved uid, the one

    • Perl on MacOS (and possibly other BSDish platforms) *does* indeed have some unportable wierdness regarding uid/euid handing, as we found in this SpamAssassin bug report [apache.org].

      It appeared that some perl versions required RUID==EUID==0 before $ = 100; $" would silently fail to drop RUID==0 privs, and instead leave it at 0. To quote the bug report:

      Interestingly, the same exact issue occurs on my Mac OS X machine,
      but not any of the other platforms I have access to...

      root# perl -e 'sub p {print "RUID: $<,

      • 'It appeared that some perl versions required RUID==EUID==0 before $ = 100; $" would silently fail to drop RUID==0 privs, and instead leave it at 0.'

        well, that made no sense. sorry; forgot to escape $< and $>. anyway, read the pasted code; it's all pretty clear there.