Your message dated Mon, 2 May 2011 11:09:09 +0100
with message-id <[email protected]>
and subject line perl-suid has been removed from Debian
has caused the Debian Bug report #245020,
regarding perl-suid: suid perl needs extra permissions
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
245020: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=245020
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: perl-suid
Version: 5.6.1-8.7
Severity: grave
Tags: security
Justification: user security hole
Most recent version of perl-suid needs extra read permissions to run
suid script.
What I think is happening is that the perl interpreter is attempting to
read the script before handing it off to suidperl. perl interpreter does
not have sufficient permission to read script, however suidperl does.
This is a problem because it is exposing information (the contents of the
script in question) to the users that run the script.
Here is a peiced together transcript (from two seperate x-windows, running
at the same time.) Slices are in chronological order. Note the fact that
the two transcripts are running as different users.
[session 1]
popcap@vulcan:~/ian_rsync$ chmod 4711 push.pl
popcap@vulcan:~/ian_rsync$ ls -l push.pl
-rws--x--x 1 popcap popcap 2166 Apr 20 18:11 push.pl
popcap@vulcan:~/ian_rsync$
[session 2]
www-data@vulcan:~$ /home/popcap/ian_rsync/push.pl
Can't open perl script "/home/popcap/ian_rsync/push.pl": Permission denied
www-data@vulcan:~$
[session 1]
popcap@vulcan:~/ian_rsync$ chmod 4755 push.pl
popcap@vulcan:~/ian_rsync$ ls -l push.pl
-rwsr-xr-x 1 popcap popcap 2166 Apr 20 18:11 push.pl
popcap@vulcan:~/ian_rsync$
[session 2]
www-data@vulcan:~$ /home/popcap/ian_rsync/push.pl
www-data@vulcan:~$
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux vulcan.internal.popcap.com 2.4.23 #1 Wed Dec 17 16:23:26 PST 2003
i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages perl-suid depends on:
ii libc6 2.2.5-11.5 GNU C Library: Shared libraries an
ii libperl5.6 5.6.1-8.7 Shared Perl library.
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction
--- End Message ---
--- Begin Message ---
Hi,
I'm closing these two bugs in perl-suid, since this package has been
removed from Debian (and upstream) with 5.12.
Cheers,
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
--- End Message ---
