Secure scripts variables

Paul Rubin http
Thu Mar 31 11:04:52 CEST 2005


Florian Lindner <Florian.Lindner at xgm.de> writes:
> AFAIK scripts can't be setuid? Can you tell me what you mean and how to do
> it?

Actually it looks like Linux doesn't support setuid scripts.  I
thought the feature had been restored.  There is a well-known security
hole but there are workarounds for it and some of the BSD-derived
Unixes implement those.  And there is a special hack for Perl that
uses an accessory setuid C program to run setuid Perl scripts--maybe
something like it could be written for Python.

Anyway, the simple workaround is to write a simple C wrapper that
invokes the Python interpreter on your script.  Make sure to use a
complete path to specify where your script is.  From the "perlsec"
documentation:

        #define REAL_PATH "/path/to/script"
        main(ac, av)
            char **av;
        {
            execv(REAL_PATH, av);
        }

    Compile this wrapper into a binary executable and then make it rather
    than your script setuid or setgid.

http://supportweb.cs.bham.ac.uk/documentation/perl5/pod/perlsec.html

You have to be very careful writing these scripts since there are all
kinds of errors you can make.  Perl's "taint checking" feature helps
catch a lot of those and it would be good if Python had something
similar.



More information about the Python-list mailing list