setuid or setgid perl scripts don't work

  • 3436932
  • 16-Jan-2008
  • 30-Apr-2012


Novell SUSE Linux Enterprise Server 10
Novell SUSE Linux Enterprise Server 9
Novell Open Enterprise Server 2 (OES2)
Novell SUSE Linux Enterprise Desktop 10
Novell Linux Desktop 9
Novell openSUSE 10.3


When trying to execute a perl script that has the setuid or setgid bit set (e.g. mode -rwsr-xr-x), execution of the script fails immediately with an ERROR:
Can't do seteuid!
or an ERROR:
Can't do setegid!


To allow setuid or setgid perl scripts to work, the sperl binary needs to have the setuid bit set. To achieve this, proceed as follows:
  1. Identify the full name of the sperl binary:
    ls -l /usr/bin/sperl*
    e.g. for a SUSE Linux Enterprise 10 system, the sperl binary is/usr/bin/sperl5.8.8.
  2. Edit /etc/permissions.local and add the following lines:
    # sperl needs to be setuid in order for setuid/setgid
    # perl scripts to function.
    /usr/bin/sperl5.8.8 root.root 4755
    Replace sperl5.8.8 by the name of the sperl binary identified previously.
  3. Run
    to effectuate the permissions change.
  4. Verify that the change was effectuated: Run
    ls -l /usr/bin/sperl*
    and check that the permissions field has the setuid bit sid (mode -rwsr-xr-x).

Additional Information


The setuid and setgid bits on an executable (binary or script) instruct the system to try to run the executable with the permissions of the file owner/group, rather than of the invoking user/group. This way, the executable can perform operations outside the security container of the invoking user/group's rights.

For instance, even when a mail transfer agent's processes are running under a non-root user's privilege, they can invoke a mail delivery script owned by the root user which has the setuid bit set in order to deliver mail as files that are owned by the mail recipient's Unix user id and group.

As programming errors in or wrong ownership of setuid/setgid executables pose security risks and as support for setuid/setgid perl scripts is only needed on a minority of systems, SUSE products default to having support for setuid/setgid perl scripts disabled.