On Wed, Apr 07, 2004 at 03:51:20PM -0400, Jamie Pratt wrote:
I cant find that error message in the regular perl src for 5.8.3, but i did find this patch file on the web for 5.9.1 - is your suidperl binary setuid root, as well as qmail-scanner-queue.pl?
Well I'm running Q-S under Fedora - which uses perl-5.8.3 and suidperl works
fine.
This is the result of a security patch to 5.9 being backported to 5.8.3 by the debian team. So it only affects debian (the unstable branch, the stable branch should still work the same since it still uses 5.6.1). So future versions of perl will also be affected.
suidperl needs to be suid root - Qmail-Scanner needs to use suidperl and be suid qscand
According to the perlsec docs, suidperl should not be called directly as it is currently done in qmail-scanner. perl will automatically call suidperl if it sees that the perl script has the suid bit set.
Here is the relevant part of the docs:
------------- from perldoc perlsec ----------------
Perl can emulate the setuid and setgid mechanism when it notices the otherwise useless setuid/gid bits on Perl scripts. It does this via a special executable called suidperl that is automatically invoked for you if it's needed.
----------------------------------------------------------------
So qmail-scanner should probably be changed so that it reverts to just using /usr/bin/perl instead of calling /usr/bin/suidperl directly. As long as the suid bit is set on the perl script, perl will 'do the right thing'. As a matter of fact, the configure test that is done to check if suid scripts work currently just uses /usr/bin/perl, so I think it would be safe to do the same thing for the real qmail-scanner script. That should solve the debian problem, and fix things for future versions of perl as well.
Also, the -T is not necesary, as taint mode is automatically activated on all suid perl scripts.
Cheers,
Cees
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
