我能为的setuid perl脚本? [英] Can i setuid for perl script?
问题描述
我做了一个perl脚本来改变由其他用户拥有的文件的所有者。脚本完成。我的管理员使用chmodü+ S name_of_script其保存在/ sbin目录,并设置UID。但是,当我运行此脚本它给了我错误CHOWN操作是不允许的。我做了一个C程序和它的作品按照相同的步骤。所以我的问题是,如果setuid的工作是为Perl则因为C code没有给我任何的错误,我不应该得到这个错误。所以,我可以为的setuid perl脚本或者我应该用C code去了。
I made a perl script to change owner of a file owned by some other user. Script is complete. My administrator save that in /sbin directory and set uid for it using chmod u+s name_of_script. But when i run this script it gives me error that chown operation is not permitted. I made a C program and it works by following same steps. So my question is if setuid is working for perl then i should not get that error because C code did not give me any error. So can i setuid for perl script or i should go with c code.
不要告诉我要问管理员每次更改所有者。实际上,在服务器,我有用户名分期,我在主持它的Joomla网站。现在,当我安装一些插件,然后与该插件文件是由www数据拥有。所以这就是为什么我不想去每次都为admin。或者你可以给我一些其他的解决方案还对我的问题。
Don't tell me to ask administrator to change owner each time. Actually in server i have user name staging and i am hosting a joomla site in it. Now when i install some plugin then files related to that plugin are owned by www-data. So that's why i do not want to go to admin each time. Or you can give me some other solution also regarding my problem.
感谢。
推荐答案
许多Unix系统(可能是最现代的)忽略间preTER脚本的SUID位,因为它开辟了太多的安全漏洞。
Many unix systems (probably most modern ones) ignore the suid bit on interpreter scripts, as it opens up too many security holes.
不过,如果你是用perl< 5.12.0,您可以运行设置setuid的Perl脚本,他们会以root身份运行。它的工作原理是,当正常的Perl间preTER运行,并检测到您要执行的文件具有设置了setuid位,它然后执行一个叫做suidperl程序。 Suidperl需要提升用户的权限,并启动在超安全模式下的perl间preTER照顾。 suidperl本身具有setuid root的运行。
However, if you are using perl < 5.12.0, you can run perl scripts with setuid set, and they will run as root. How it works is that when the normal perl interpreter runs, and detects that the file you are trying to execute has the setuid bit set, and it then executes a program called suidperl. Suidperl takes care of elevating the user's privileges, and starting up the perl interpreter in a super-secure mode. suidperl is itself running with setuid root.
一个这样的后果是,感染模式自动开启。其他额外的检查也被执行。你可能会看到这样的消息:
One of the consequences of this is that taint mode is turned on automatically. Other additional checks are also performed. You will probably see messages like:
Insecure $ENV{PATH} while running setuid at ./foobar.pl line 3.
perlsec 提供有关保护这些脚本一些有用的信息。
perlsec provides some good information about securing such scripts.
suidperl往往不是默认安装的。您可能必须通过一个单独的包来安装它。如果没有安装它,那么你得到这个消息:
suidperl is often not installed by default. You may have to install it via a separate package. If it is not installed then you get this message:
Can't do setuid (cannot exec sperl)
说到了这一切 - 你会使用须藤执行好得多使用提升权限的操作。这是更安全的,你可以明确指定哪些是允许通过sudoers文件执行。
Having said all of that - you would be much better off using sudo to execute actions with elevated privileges. It is much more secure as you can specify exactly what is allowed to be executed via the sudoers file.
和Perl 5.12.0的考虑,suidperl下降了。因此,如果你想运行使用setuid集上的perl> = 5.12.0的Perl脚本,你会写自己的C包装。我再次建议须藤作为一个更好的选择。
As of perl 5.12.0, suidperl was dropped. As a result, if you want to run a perl script on perl >= 5.12.0 with setuid set, you would have to write your own C wrapper. Again I recommend sudo as a better alternative.
这篇关于我能为的setuid perl脚本?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
