Linux SUID

Skip Montanaro skip at pobox.com
Mon Apr 28 17:14:14 EDT 2003 

    >> There one can turn on the SUID-exec permission bit which is honoured
    >> by Perl.
    ...
    >> Is there something similar in Python?

    Gerhard> Short answer: No.

    Gerhard> There's a demo suid wrapper in the source distribution ...

    Skip> I think the Mailman distribution has/does something similar, using
    Skip> a compiled C program to do the suid bit.  If my recollection is
    Skip> correct it's likely to be better tested than the demo wrapper in
    Skip> the Python distribution.

I was just checking up on possible software updates for some machines I just
took over at Northwestern and noticed this item on dev.perl.org about the
suidperl capability:

    A potential security vulnerability in the optional suidperl
    component of Perl was identified in August 2000.  suidperl is
    neither built nor installed by default.  As of November 2001 the
    only known vulnerable platform is Linux, most likely all Linux
    distributions.  CERT and various vendors and distributors have
    been alerted about the vulnerability. See
    http://www.cpan.org/src/5.0/sperl-2000-08-05/sperl-2000-08-05.txt
    for more information.

    The problem was caused by Perl trying to report a suspected
    security exploit attempt using an external program, /bin/mail.  On
    Linux platforms the /bin/mail program had an undocumented feature
    which when combined with suidperl gave access to a root shell,
    resulting in a serious compromise instead of reporting the exploit
    attempt.  If you don't have /bin/mail, or if you have 'safe setuid
    scripts', or if suidperl is not installed, you are safe.

    The exploit attempt reporting feature has been completely removed
    from Perl 5.8.0 (and the maintenance release 5.6.1, and it was
    removed also from all the Perl 5.7 releases), so that particular
    vulnerability isn't there anymore.  However, further security
    vulnerabilities are, unfortunately, always possible.  The suidperl
    functionality is most probably going to be removed in Perl 5.10.
    In any case, suidperl should only be used by security experts who
    know exactly what they are doing and why they are using suidperl
    instead of some other solution such as sudo ( see
    http://www.courtesan.com/sudo/ ).

So, if you count on it in Perl, prepare for it to disappear.  Be extra
careful if you use anything similar with Python such as the suid
capabilities Gerhard and I referred to.

Skip

More information about the Python-list mailing list