Hi, "Marcus Vinícius S. Mendes" <marcusvi@cptec.inpe.br> [20070226 14:37:26 -0300]:
Hello, I'm using a OpenSuse Linux 10.2 with kernel 2.6.18.2-34-default.
I have a script in perl (hupsyslog) that need to get an environment variable. I'd gave permission of SUID to 'sperl' (that is a hard link to 'suidperl') as the system says. So now, I get this error message:
Insecure $ENV{PATH} while running setuid at /usr/local/ldm/bin/hupsyslog line 24.
This is not a syslog-ng issue: http://www.perl.com/doc/manual/html/pod/perlsec.html
The line 24 is as follows:
($os,$hostname,$version) = split(/ /,`uname -a`);
What can I do about this?
...what happens if someone can persuade the $ENV{PATH} to become: PATH=/tmp/evilprograms:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games The 'uname' that's run could be '/tmp/evilprograms/uname' instead of the program you are expecting, '/bin/uname'. To be honest you should be not executing programs from within programs as it makes the code unportable and introduces security problems like the one I just showed above. You should use $^O/$OSNAME as stated in 'man perlfaq8'. There are other OS independent ways to determine OS version and the hostname; I'll leave it to you to discover them as an educational exercise :)
The system looks let the script not use environment variables. Any hints?
Do not suidperl scripts...its usually asking for trouble in my book. What is it that you are actually doing with the script that means it needs to be suid? It screams alarm bells in my head that a pipe service for syslog-ng needs this. Often with a bit of thinking you can work around this problem but it really depends on what you are trying to do. Cheers Alex