Perl for Systems Admin - suid scripts
Archive - Originally posted on "The Horse's Mouth" - 2006-05-25 09:42:58 - Graham EllisI've just completed a week teaching Perl to a systems administration team, and most of their work is involved in traversing data logs and system reports and extracting pertinent information / seeing when characteristics change - classic for a Practical Extraction and Reporting Language from which "Perl" got its name.
But there's more to Systems Admin work. For example, there are occasions when the admin script author wishes to allow some very specific privilage normally reserved for root to a user. My delegates were already aware of how to do this with the bash shell, and were also well aware of the security implications. If you are not aware of these implications, FIND OUT about them before you use the methods described here.
To run a Perl script with root privilage:
a) Set the owner of the script to root
b) Set the suid bit on the file on (chmod u+s filename)
c) Turn off read permission, and on execute permission to the file to everyone except root (chmod go=x)
Your script will run in Perl's "tainted mode" if the suid bit is set. This means that all user inputs are marked as being unclean / risky, and neither they nor any variables with content derived from them is available in 'dangerous' calls such as backquoted commands, open functions, system calls, etc. The purpose of this is to avoid injection attacks; it's frustrating when you first see it, but you'll be very glad of the extra help in identifying potential holes that's provided.
If you do need to mark a variable "clean" in tainted mode, you do so by capturing the clean parts into special variables , , etc in a regular expression match. In this one case, the derivative of a tainted variable is marked as being clean, so you can the make full use of your cleaned user inputs.