T. Joseph Carter wrote:
On Tue, Aug 01, 2006 at 11:18:53AM -0700, Allen Brown wrote:
suidperl is a thing that lets you run perl scripts setuid. Normally you
can't do that anymore than you can run a shell script that way. suidperl
is a workaround to make that possible. It's an evil thing, you don't want
it, ever. In fact, I suggest if you're concerned, edit your dpkg status
file and create a fake entry claiming to be suidperl with a version like
7:0.0.0 and no files associated with it or anything.
This doesn't feel right. Are you sure this is secure and won't
break something else?
Looking at the dpkg(8) man page I see mention of "hold"
A package marked to be on hold is not handled by dpkg, unless
forced to do that with option --force-hold.
hold doesn't affect uninstalled packages. However, it seems that the
suidperl problem is resolved for you if Ubuntu's solution to the problem
comes from Debian. A non-setuid suidperl effectively does nothing.
The package for it is perl-suid. It doesn't seem to be
installed by default because it isn't on my machine,
at least with Sarge. But Ubuntu may not be very close to
Sarge.
I appended to /var/lib/dpkg/status
Package: perl-suid
Status: install ok installed
Version: 7:0.0.0
Description: perl-suid is a security hole. This is a dummy. Do not
EVER install the real thing.
I have no entries for Priority or Section. After adding
that I ran apt-get and didn't notice any problems.
--
Allen Brown [EMAIL PROTECTED] http://www.peak.org/~abrown/
o o o o o <o <o> o> o
.|. \|. \|/ // X \ | <| <|>
/\ >\ /< >\ /< >\ /< >\ /<
_______________________________________________
EUGLUG mailing list
[email protected]
http://www.euglug.org/mailman/listinfo/euglug
