On Tue, Aug 01, 2006 at 11:18:53AM -0700, Allen Brown wrote: > >suidperl is a thing that lets you run perl scripts setuid. Normally you > >can't do that anymore than you can run a shell script that way. suidperl > >is a workaround to make that possible. It's an evil thing, you don't want > >it, ever. In fact, I suggest if you're concerned, edit your dpkg status > >file and create a fake entry claiming to be suidperl with a version like > >7:0.0.0 and no files associated with it or anything. > > This doesn't feel right. Are you sure this is secure and won't > break something else? > > Looking at the dpkg(8) man page I see mention of "hold" > A package marked to be on hold is not handled by dpkg, unless > forced to do that with option --force-hold.
hold doesn't affect uninstalled packages. However, it seems that the suidperl problem is resolved for you if Ubuntu's solution to the problem comes from Debian. A non-setuid suidperl effectively does nothing. > That sounds closer to what we should be using. Basically it > appears to be a hook in dpkg to lock up a package. Have I > interpreted its description correctly? It has to be installed first. There is theoretically a possibility that perl's version could change such that it has an epoch of 7 or higher, but this is a bit unlikely. What I described is not far from what an old package called equivs did--install an empty "fake" package. This was done in the days before Debian had packaged the entire world to allow dpkg to believe a given package was installed from deb when it was in fact installed by you. It's a slightly cleaner way of doing the standard RPM installation instruction of forcing no dependency checking. Cleaner because instead of telling dpkg to ignore dependencies (which you can do if you're fool enough to do so), you are telling dpkg precisely what dependencies are met on your system outside the scope of the package manager. Nowadays you just apt-get source <thing>, modify as you like, and then debuild -us -uc the result. Back in the days of dpkg -BORGiE, you could not so easily do that. _______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
