I don't know much about suidperl but if I were doing this, I probably wouldn't give root privileges to my CGI. If it doesn't need to happen instantaneously, I'd consider a two-step approach: (of course, it probably does need to run instantaneously since you're doing it as a CGI anyway...)
Instead of doing everything from the CGI, what I would do is write one Perl CGI to gather your config input from the user and write it to a file. Then, create a second script which will take run as root (as a cron job?) and read the config file written by your first script and act accordingly. Of course, this is extremely slow and inefficient but seems more secure than giving root access to your CGI. Besides, if you can't get the other way to work, I think this might do the trick. But again, I'm sure there's a more elegant solution. I'd still like to know what suid perl is and why it won't let you run /sbin/ifup|ifdown. It might be just a simple environment thing where the script can't find "ifup" Are you calling it as ifup or /sbin/ifup? good luck! -peter -----Original Message----- From: Admin-Stress [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 1:29 PM To: perl cgi Subject: RE: can we use "system()" inside cgi ? I did read it, but still dont understand. What does "tainted" means? I changed my cgi like this : #!/usr/bin/suidperl Then : chown root:root saveconfig.pl chmod 755 saveconfig.pl It's now 'partly working', it can changed the content of /etc/sysconfig/... by overwriting it's content (open ... print ... close). But, still, I cant executing /sbin/ifup /sbin/ifdown. Basically, I dont know the way suidperl working nor executing cgi which neeed root permission. That work around I just found it with trial and error. If someone could explain or just tell me what should I do in terms of permission setting or modification. What I need is just : overwriting /etc/sysconfig/... executing /sbin/ifup /sbin/ifdown I must finish this project the day after tomorrow :(( Thanks. kapot --- [EMAIL PROTECTED] wrote: > You need to read up on tainted variables, I think. > > perldoc perlsec > > The problem isn't that it is a CGI, pretty sure the problem is that it is setuid. > > http://danconia.org > > ------------------------------------------------ > On Tue, 10 Dec 2002 07:20:16 -0800 (PST), Admin-Stress <[EMAIL PROTECTED]> wrote: > > > I got this error : > > > > [error] [client 10.0.0.88] Insecure $ENV{PATH} while running setuid at > > /var/www/cgi-bin/ifcfg_rh80.pl line 60., referer: http://10.0.0.50/cgi-bin/editconfig.pl > > > > And line 60 of ifcfg_rh80.pl is : > > > > system("/sbin/ifdown $device"); > > sleep 2; > > system("/sbin/ifup $device"); > > > > I chmoded +s both editconfig.pl and ifcfg_rh80.pl. > > > > And I installed suid-perl ... > > > > Anything else that I can do? I made a cgi to change server ip address. > > > > Thanks. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
