On Wednesday 02 April 2003 4:21 am, Daniel Tan wrote: > does it enable a user to gain root access?
Yes! There is a documented (somewhere) method of using suid perl to gain root access within seconds. I know someone (white hat) who used it to gain access tyo a locked system. I believe the method uses some form of file substitution to run a script provided by the attacker. > what other alternative can i do to run my script? > as my script needs it to change a user's password through web page. > the script is not written by me. Something like suexec may be the answer, or writing the bits that need root access in a compiled language such as C. Make sure you know EXACTLY what you're doing with the file permissions tho'. > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: "Redhat 2" <[EMAIL PROTECTED]> > Cc: "Red Hat 8.0" <[EMAIL PROTECTED]> > Sent: Wednesday, April 02, 2003 10:59 AM > Subject: Re: perl setuid > > On Wed, 2 Apr 2003, Daniel Tan wrote: > > it seems like rh8 does not have setuid install as default.is there a easy > > way to install setuid in perl using cpan or any other way? can't find the > > command to run. > > Yes, thank goodness! What a nasty history that sucker has had in regards > to security. > > The anti-security command your looking for is: > > up2date perl-suidperl -- Gary Stainburn This email does not contain private or confidential material as it may be snooped on by interested government parties for unknown and undisclosed purposes - Regulation of Investigatory Powers Act, 2000 -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
