l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2003 May 06 13:50

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Running a suid root perl script
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Running a suid root perl script



--On Monday, May 05, 2003 11:37:20 -0700 Henry House <hajhouse@houseag.com> wrote:

#!/usr/bin/suidperl -T
$ENV{'PATH'} = '/bin:/usr/bin';
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
$ENV{'HOME'} = '/root';
open(BOGOFILTER, "|ssh root\@mail.internal bogofilter -Nsv");
while ($line = <STDIN>) { print BOGOFILTER $line }
close(BOGOFILTER);
exit
My guess is that you're being tripped up by the real ID being different from the effective ID. Ssh is pretty strict about security and not every thing it checks is described in the documentation.

However, would recommend you implement this process in another way. First of all, the script will fail rather badly if the open() step fails for any reason. Second, you're apparently using a general-purpose ssh key which can be used to run any kind of command on the remote system, with the script being the only protection. You should set up a special key which can only be used to run "bogofilter -Nsv" on the remote host. Third, there's no good reason to be using the root ID for this, at least on the local side.

Personally I wouldn't have the user launching ssh interactively at all. I'd probably just write the mail to a file in a directory somewhere, then use a cron job to periodically copy the directory contents to the remote system. Maybe you trust your users, but the script you've posted here would make me nervous.

For example, bogofilter has to lock its wordlist files to guard against simultaneous access. If bogofilter is part of the normal mail delivery process, then someone running

sleep 999999 | /usr/local/bin/spamlearn

might be able to halt normal mail delivery.

--
Kenneth Herron Kherron@newsguy.com 916-366-7338
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.