Hello list!
From man mount:
nosuid Do not allow set-user-identifier or set- group-identifier bits to take effect. (This seems safe, but is in fact rather unsafe if you have suidperl(1) installed.) Would somebody tell me why it´s rather unsafe to use this option if suidperl is installed? I have all man pages installed but have no one for suidperl allthough a have a file /usr/bin/suidperl. I also couldn´t find anything about this program in the SuSE-sites. Thanks in advance! Anibal
Hi *! Anibal Vasquez behauptete am Sat, 21 Oct 2000 um 14:59:
nosuid Do not allow set-user-identifier or set- group-identifier bits to take effect. (This seems safe, but is in fact rather unsafe if you have suidperl(1) installed.)
Would somebody tell me why it´s rather unsafe to use this option if suidperl is installed? I have all man pages installed but have no one for suidperl allthough a have a file /usr/bin/suidperl. I also couldn´t find anything about this program in the SuSE-sites.
OK, I'm late... Noone seems to have answered yet. "Normal" programs (i.e. binary code as produced by a compiler) can be executed setuid. The program runs under the uid of the user owning the file containing the code. Perl code (just as shell code or other interpreted code) runs under the uid of the calling user. BUT: suidperl (which is not installed suid under SuSE, btw; you're secure) resides under /usr/bin - and thus is not mounted nosuid (usually; it would be senseless, otherwise). This means: suid perl scripts (executed by suidperl instead of perl) can run suid even if the fle system containing the script is mounted nosuid. The comment from the man page just tells you that you loose the advanteges of nosuid mounting if suidperl is installed (and suid root). Mounting nosuid never decreases security over "normal" mounting. Anyway, suidperl is bad[tm]. chmod 755 it. Bye, Basti -- Bastian Friedrich bastian@bastian-friedrich.de Adress & Fon available on my HP http://www.bastian-friedrich.de/ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ \ Artificial Intelligence usually beats real stupidity.
Hi *!
Anibal Vasquez behauptete am Sat, 21 Oct 2000 um 14:59:
nosuid Do not allow set-user-identifier or set- group-identifier bits to take effect. (This seems safe, but is in fact rather unsafe if you have suidperl(1) installed.)
Would somebody tell me why it´s rather unsafe to use this option if suidperl is installed? I have all man pages installed but have no one for suidperl allthough a have a file /usr/bin/suidperl. I also couldn´t find anything about this program in the SuSE-sites.
OK, I'm late... Noone seems to have answered yet.
"Normal" programs (i.e. binary code as produced by a compiler) can be executed setuid. The program runs under the uid of the user owning the file containing the code.
Perl code (just as shell code or other interpreted code) runs under the uid of the calling user. BUT: suidperl (which is not installed suid under SuSE, btw; you're secure) resides under /usr/bin - and thus is not mounted nosuid (usually; it would be senseless, otherwise). This means: suid perl scripts (executed by suidperl instead of perl) can run suid even if the fle system containing the script is mounted nosuid. This is not correct. :) suidperl checks whether or not the FS is mounted with suid
On Tue, 24 Oct 2000, Bastian Friedrich wrote: hi, option. If not it refuse to run the script under the other euid.
The comment from the man page just tells you that you loose the advanteges of nosuid mounting if suidperl is installed (and suid root). Mounting nosuid never decreases security over "normal" mounting.
Anyway, suidperl is bad[tm]. chmod 755 it.
Bye, Basti
Sebastian
participants (3)
-
Anibal Vasquez
-
Bastian Friedrich
-
Sebastian Krahmer