Secure scripts variables

Paul Rubin http
Thu Mar 31 11:04:52 CEST 2005

Florian Lindner <Florian.Lindner at> writes:
> AFAIK scripts can't be setuid? Can you tell me what you mean and how to do
> it?

Actually it looks like Linux doesn't support setuid scripts.  I
thought the feature had been restored.  There is a well-known security
hole but there are workarounds for it and some of the BSD-derived
Unixes implement those.  And there is a special hack for Perl that
uses an accessory setuid C program to run setuid Perl scripts--maybe
something like it could be written for Python.

Anyway, the simple workaround is to write a simple C wrapper that
invokes the Python interpreter on your script.  Make sure to use a
complete path to specify where your script is.  From the "perlsec"

        #define REAL_PATH "/path/to/script"
        main(ac, av)
            char **av;
            execv(REAL_PATH, av);

    Compile this wrapper into a binary executable and then make it rather
    than your script setuid or setgid.

You have to be very careful writing these scripts since there are all
kinds of errors you can make.  Perl's "taint checking" feature helps
catch a lot of those and it would be good if Python had something

More information about the Python-list mailing list