l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
January 6: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2003 May 05 13:44

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Running a suid root perl script
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Running a suid root perl script



--QKpLca3blcvhMJ0W
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 05, 2003 at 11:37:20AM -0700, Henry House wrote:
> You're right. The file is owned by root. Now the real reason that I want =
an
> suid script:
>=20
> #!/usr/bin/suidperl -T
> $ENV{'PATH'} =3D '/bin:/usr/bin';
> delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
> $ENV{'HOME'} =3D '/root';
> open(BOGOFILTER, "|ssh root\@mail.internal bogofilter -Nsv");
> while ($line =3D <STDIN>) { print BOGOFILTER $line }
> close(BOGOFILTER);
> exit
>=20
> This script, residing at /usr/local/bin/spamlearn, is intended to allow
> al users to redirect spam that gets through back to the bogofilter* datab=
ase
> on the mail server, a seperate machine that normally does not host
> interactive logins. SSH is configured to accept key-based auth only and t=
he
> key is in root's home. But it does not work: SSH asks for a password and
> warns about an unknown server fingerprint, indicating that it is using
> the user's ~/.ssh not /root/.ssh. Any ideas?

Henry,

  Is sounds like some environment variable like 'USER' needs to be set so=
=20
that ssh can find the right local key to use for authentication.  Have your=
=20
script print out all the environment variables and values...
  print map { "$_ -> $ENV{$_}\n" } keys %ENV;
=2E.. look for any that look wrong and fix them.


  Also, I recommend you remove all environment variables except for the
ones you trust, since this is running as root and there have been a
number of ways to take over based on environment holes...

something Draconian like this should be safe:  =3D)
=3D=3D=3D
  delete %ENV;
  $ENV('HOME'} =3D "/root";
  $ENV('USER'} =3D "root";
  $ENV('SHELL'} =3D "/bin/bash";
  $ENV('PATH'} =3D "/bin:/usr/bin";
=3D=3D=3D

--=20
GPG key: http://simons-clan.com/~msimons/gpg/msimons.asc
Fingerprint: 524D A726 77CB 62C9 4D56  8109 E10C 249F B7FA ACBE

--QKpLca3blcvhMJ0W
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+trcD4Qwkn7f6rL4RAsd/AJ9ayNC5XhsPSgr5tg3w8oLUjTuPhgCeK5N/
252ehXxeNhjNPxILjqJqt6w=
=n0mL
-----END PGP SIGNATURE-----

--QKpLca3blcvhMJ0W--
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech








LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.