severity 242910 wishlist
found 242910 5.10.0-10
thanks
On Fri, Apr 09, 2004 at 09:27:59AM +0200, Filip Van Raemdonck wrote:
> On Thu, Apr 08, 2004 at 02:58:44PM +0200, Sebastian Muszynski wrote:
> >
> > $ chmod g+s test.pl
> > $ perl test.pl
> > No #! line at test.pl line 1.
> > $
>
> Hmm, that is IMNSHO a bug or serious misfeature of perl if it behaves that
> way. What is being run here is the perl binary, not the script; the script
> is merely input data for the perl binary. It's permissions should be ignored
> aside from the fact that it has to be readable and perl should not behave
> differently simply because the datafile that it processes has the set GID bit
> set.
This is a feature, not a bug.
>From perlsec(1):
Perl can emulate the setuid and setgid mechanism when it notices
the otherwise useless setuid/gid bits on Perl scripts. It does
this via a special executable called suidperl that is automatically
invoked for you if it’s needed.
>From perldiag(1):
No #! line
(F) The setuid emulator requires that scripts have a
well-formed #! line even on machines that don’t support
the #! construct.
Lowering the severity to 'wishlist'; it's possible that the setuid
emulator will be removed at some point as it was expected to go away
for 5.10 but didn't. From perl587delta(1):
For new projects the core perl team strongly recommends that
you use dedicated, single purpose security tools such as "sudo"
in preference to "suidperl".
--
Niko Tyni [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
