setuid or setgid perl scripts don't work
This document (3436932) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 10
SUSE Linux Enterprise Desktop 10
Situation
When trying to execute a perl script that has the setuid or setgid bit set (e.g. mode -rwsr-xr-x), execution of the script fails immediately with an ERROR:
Can't do seteuid!
or an ERROR:
Can't do setegid!
Resolution
To allow setuid or setgid perl scripts to work, the sperl binary needs to have the setuid bit set. To achieve this, proceed as follows:
- Identify the full name of the sperl binary:
ls -l /usr/bin/sperl*e.g. for a SUSE Linux Enterprise 10 system, the sperl binary is/usr/bin/sperl5.8.8.
- Edit /etc/permissions.local and add the following lines:
# sperl needs to be setuid in order for setuid/setgid
# perl scripts to function.
/usr/bin/sperl5.8.8 root.root 4755Replace sperl5.8.8 by the name of the sperl binary identified previously. - Run
SuSEconfigto effectuate the permissions change.
- Verify that the change was effectuated: Run
ls -l /usr/bin/sperl*and check that the permissions field has the setuid bit sid (mode -rwsr-xr-x).
Additional Information
Background
The setuid and setgid bits on an executable (binary or script) instruct the system to try to run the executable with the permissions of the file owner/group, rather than of the invoking user/group. This way, the executable can perform operations outside the security container of the invoking user/group's rights.
For instance, even when a mail transfer agent's processes are running under a non-root user's privilege, they can invoke a mail delivery script owned by the root user which has the setuid bit set in order to deliver mail as files that are owned by the mail recipient's Unix user id and group.
As programming errors in or wrong ownership of setuid/setgid executables pose security risks and as support for setuid/setgid perl scripts is only needed on a minority of systems, SUSE products default to having support for setuid/setgid perl scripts disabled.
The setuid and setgid bits on an executable (binary or script) instruct the system to try to run the executable with the permissions of the file owner/group, rather than of the invoking user/group. This way, the executable can perform operations outside the security container of the invoking user/group's rights.
For instance, even when a mail transfer agent's processes are running under a non-root user's privilege, they can invoke a mail delivery script owned by the root user which has the setuid bit set in order to deliver mail as files that are owned by the mail recipient's Unix user id and group.
As programming errors in or wrong ownership of setuid/setgid executables pose security risks and as support for setuid/setgid perl scripts is only needed on a minority of systems, SUSE products default to having support for setuid/setgid perl scripts disabled.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:3436932
- Creation Date: 16-Jan-2008
- Modified Date:04-Mar-2021
-
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
