I did read it, but still dont understand. What does "tainted" means?
I changed my cgi like this : #!/usr/bin/suidperl Then : chown root:root saveconfig.pl chmod 755 saveconfig.pl It's now 'partly working', it can changed the content of /etc/sysconfig/... by overwriting it's content (open ... print ... close). But, still, I cant executing /sbin/ifup /sbin/ifdown. Basically, I dont know the way suidperl working nor executing cgi which neeed root permission. That work around I just found it with trial and error. If someone could explain or just tell me what should I do in terms of permission setting or modification. What I need is just : overwriting /etc/sysconfig/... executing /sbin/ifup /sbin/ifdown I must finish this project the day after tomorrow :(( Thanks. kapot --- [EMAIL PROTECTED] wrote: > You need to read up on tainted variables, I think. > > perldoc perlsec > > The problem isn't that it is a CGI, pretty sure the problem is that it is setuid. > > http://danconia.org > > ------------------------------------------------ > On Tue, 10 Dec 2002 07:20:16 -0800 (PST), Admin-Stress <[EMAIL PROTECTED]> wrote: > > > I got this error : > > > > [error] [client 10.0.0.88] Insecure $ENV{PATH} while running setuid at > > /var/www/cgi-bin/ifcfg_rh80.pl line 60., referer: >http://10.0.0.50/cgi-bin/editconfig.pl > > > > And line 60 of ifcfg_rh80.pl is : > > > > system("/sbin/ifdown $device"); > > sleep 2; > > system("/sbin/ifup $device"); > > > > I chmoded +s both editconfig.pl and ifcfg_rh80.pl. > > > > And I installed suid-perl ... > > > > Anything else that I can do? I made a cgi to change server ip address. > > > > Thanks. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
