can't run /usr/bin/passwd from Perl CGI

[msc0tt]

I figure this is more a CGI thing than a Perl thing, so this forum is my victim:

Within my Perl CGI, I need to check the status of an arbitrary user account. This is done with the Linix command "/usr/bin/passwd -S jdoe". The blog warning is: "You may not change the password for jdoe." The CGI completes, so I do get my webpage (less the status info I need). My script runs SUID root (by means of a wrapper).

My line in the script is:
`/usr/bin/passwd -S $login`
I've cleared the PATH with:
$ENV{"PATH"} = "";
I've synced with realUID and effectiveUID with:
$< = $>;
I've untainted the $login variable (&quot;jdoe&quot with:
$login =~ /(.+)/; $login = &quot;$1&quot;;

Can anyone solve this very annoying problem?
Many Thanks! -Mike

 

[philote]

I'd go post this in the CGI or Perl forums. But then again, you may get lucky here.

 

[msc0tt]

Yes, I wasn't sure, but figured I'd start here. Cross-posting is frowned upon, so I must wait a realistic amount of time before posting elsewhere.

 

[philote]

I think the problem is that passwd doesn't like to run using SUID. This is of course a security precaution because you wouldn't want just anybody setting passwords.

I said the Perl or CGI forums would be where to post, but now I think it's a better question for one of the Linux forums.

 

[msc0tt]

Hmmm...
I disagree about your first comment. Under Linux, when you suid root, you are effectively root - that's the whole point. Unfortunately, I can't tell what process has created the blog error (Apache?, Perl?, passwd?) in the first place...
I'm off to the CGI forum next. Thanks for reading :-{)
-Mike

 

[philote]

I found this:
This is because even though passwd is an suid program, it's smart enough to know your real identity and restricts its use to changing only your own password.
On this site:

http://www.computerbits.com/archive/1997/0800/lnx9708.html

 

[philote]

Oh well, I just read your post in the CGI forum so I guess you got it worked out. I wonder if you're able to change passwords because your script is also SUID root. Hmmm, I wish I knew more about Linux.

 

[msc0tt]

Hey Kevin,
Yes, the above quote in BOLD is true, but needs to be in context. If passwd is run from a process (i.e. my Perl script) that has both a 'real' and 'effective' UID of root, then it will provide full functionality. This is why I set my realUID ($<) at the top of the script. This is also why the actual Perl script file doesn't need to be SUID root (which btw works inconsistently across *nix platforms, so I never use it).

Linux is a GREAT server platform... so for many reasons. Unlike M$, it is very predictable once you know the rules. You will never see me seriously active in the .NET camp. ;-{) -cheers
Mike.

 

[philote]

Oh ok, that makes more sense. Thanks for the info.

I definitely agree that Linux is the way to go. I've had a Linux web server at home for a while now and set one up at work last year instead to replace our IIS server (yuck). However, I've still got a LOT to learn about Linux, just not enough time to do so.