Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • The advisory itself is rather vague and unhelpful. I'm surprised it exists at all. However it does provide an excellent opportunity to talk about Unix privileges and Perl. Randal, I hope you don't mind me using your journal too much for this purpose. ;)

    Dropping privileges in Perl is notoriously hard, and stems primarily from the fact that most unix systems provide at least three flavours of uid (real, effective, and saved), whereas Perl provides only two (real and effective). The saved uid, the one

    • Perl on MacOS (and possibly other BSDish platforms) *does* indeed have some unportable wierdness regarding uid/euid handing, as we found in this SpamAssassin bug report [apache.org].

      It appeared that some perl versions required RUID==EUID==0 before $ = 100; $" would silently fail to drop RUID==0 privs, and instead leave it at 0. To quote the bug report:

      Interestingly, the same exact issue occurs on my Mac OS X machine,
      but not any of the other platforms I have access to...

      root# perl -e 'sub p {print "RUID: $<, EUID: $>\n";} p; $>=1000; p; $<=$>; p;'
      RUID: 0, EUID: 0
      RUID: 0, EUID: 1000
      RUID: 0, EUID: 1000

      The end line should read "RUID: 1000, EUID: 1000".

      Linux:

      # perl -e 'sub p {print "RUID: $<, EUID: $>\n";} p; $>=1000; p; $<=$>; p;'
      RUID: 0, EUID: 0
      RUID: 0, EUID: 1000
      RUID: 1000, EUID: 1000

      Solaris:

      # perl -e 'sub p {print "RUID: $<, EUID: $>\n";} p; $>=1000; p; $<=$>; p;'
      RUID: 0, EUID: 0
      RUID: 0, EUID: 1000
      RUID: 1000, EUID: 1000

      More interesting bits:

      # perl -e 'sub p {print "RUID: $<, EUID: $>\n";} p; $<=1000; p;'
      RUID: 0, EUID: 0
      RUID: 0, EUID: 0
      # perl -e 'sub p {print "RUID: $<, EUID: $>\n";} p; use POSIX; setuid(1000); p;'
      RUID: 0, EUID: 0
      RUID: 0, EUID: 0
      # cat - > t.c
      main() {
        printf("RUID: %d, EUID: %d\n", getuid(), geteuid());
        setuid(1000);
        printf("RUID: %d, EUID: %d\n", getuid(), geteuid());
      }
      # gcc t.c
      # ./a.out
      RUID: 0, EUID: 0
      RUID: 1000, EUID: 1000

      so setuid() obviously works.  just not at all from perl.

      Our workaround was to check $< and $> after the first (POSIX-ish) idiom, then use $> = $<; $< = 100; $> = "100 100"; This [apache.org] is the patch we applied to SpamAssassin to do this.

      • 'It appeared that some perl versions required RUID==EUID==0 before $ = 100; $" would silently fail to drop RUID==0 privs, and instead leave it at 0.'

        well, that made no sense. sorry; forgot to escape $< and $>. anyway, read the pasted code; it's all pretty clear there.