Environment
Novell SUSE Linux Enterprise
Server 10
Novell SUSE Linux Enterprise Server 9
Novell Open Enterprise Server 2 (OES2)
Novell SUSE Linux Enterprise Desktop 10
Novell Linux Desktop 9
Novell openSUSE 10.3
Novell SUSE Linux Enterprise Server 9
Novell Open Enterprise Server 2 (OES2)
Novell SUSE Linux Enterprise Desktop 10
Novell Linux Desktop 9
Novell openSUSE 10.3
Situation
When trying to execute a perl
script that has the setuid or setgid bit set (e.g. mode -rwsr-xr-x), execution of the script
fails immediately with an ERROR:
Can't do
seteuid!
or an ERROR:Can't do
setegid!
Resolution
To allow setuid or setgid perl
scripts to work, the sperl binary needs to have the setuid bit set.
To achieve this, proceed as follows:
- Identify the full name of the sperl binary:ls -l /usr/bin/sperl*e.g. for a SUSE Linux Enterprise 10 system, the sperl binary is/usr/bin/sperl5.8.8.
- Edit /etc/permissions.local and
add the following lines:# sperl needs to be setuid in order for setuid/setgid
# perl scripts to function.
/usr/bin/sperl5.8.8 root.root 4755Replace sperl5.8.8 by the name of the sperl binary identified previously. - RunSuSEconfigto effectuate the permissions change.
- Verify that the change was effectuated: Runls -l /usr/bin/sperl*and check that the permissions field has the setuid bit sid (mode -rwsr-xr-x).
Additional Information
Background
The setuid and setgid bits on an executable (binary or script) instruct the system to try to run the executable with the permissions of the file owner/group, rather than of the invoking user/group. This way, the executable can perform operations outside the security container of the invoking user/group's rights.
For instance, even when a mail transfer agent's processes are running under a non-root user's privilege, they can invoke a mail delivery script owned by the root user which has the setuid bit set in order to deliver mail as files that are owned by the mail recipient's Unix user id and group.
As programming errors in or wrong ownership of setuid/setgid executables pose security risks and as support for setuid/setgid perl scripts is only needed on a minority of systems, SUSE products default to having support for setuid/setgid perl scripts disabled.
The setuid and setgid bits on an executable (binary or script) instruct the system to try to run the executable with the permissions of the file owner/group, rather than of the invoking user/group. This way, the executable can perform operations outside the security container of the invoking user/group's rights.
For instance, even when a mail transfer agent's processes are running under a non-root user's privilege, they can invoke a mail delivery script owned by the root user which has the setuid bit set in order to deliver mail as files that are owned by the mail recipient's Unix user id and group.
As programming errors in or wrong ownership of setuid/setgid executables pose security risks and as support for setuid/setgid perl scripts is only needed on a minority of systems, SUSE products default to having support for setuid/setgid perl scripts disabled.