I'm trying to write a setuid script to change passwords on a machine via the web. I am not trying to change the local passwords (i.e. *not* modifying /etc/password), but I do need the script to be run as root so it can call another password-changing utility which is doing the actual work.
When run from the command line as root, the script works fine. However, when run as myself (after setting the script to be setuid root) I get the following error generated from the script's system call:
"Insecure dependency in system while running setuid at ./chpass_web.pl line 159."
Perl is installed on this system to use suid emulation, so it's calling the 'suidperl' binary. The problem originates from the following line of code:
system "/bin/echo $new_password1 | /usr/local/sbin/saslpasswd -p $in_username";
The documentation I've seen implies that variables can't be passed directly into the shell, as they are above, but I couldn't reword the system call in any way that still enabled it to work.
Can anyone help with this? Or lead me to any pointers on suidperl? I've already read the perlsec manpage, and searched through the mailing list archives...
Thanks! Andria
-- ---------------------------------------------- Andria Thomas andria@tovaris.com System Administrator -- Tovaris, Inc. (434) 245-5309 x 105
My kernel is 2.4.20-20.9 Apache version is 1.3.24 Insecure dependency in system while running with -T switch at /usr/local/apache/cgi-bin/omail.pl line 2736.
If you would like to report an abuse of our service, such as a spam message, please . Если Вы хотите пожаловаться на содержимое этой страницы, пожалуйста .
