Mon Dec 20 17:53:46 2010: Request 63801 was acted upon.
Transaction: Correspondence added by SMUELLER
Queue: PAR-Packer
Subject: Re: [rt.cpan.org #63801] setuid pp'ed scripts: 1st invocation
fails, 2nd+ call ok
Broken in: 1.008
Severity: Wishlist
Owner: Nobody
Requestors: [email protected]
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=63801 >
On Dec 20, 2010, at 2:24 PM, Alexander Ost via RT wrote:
> Queue: PAR-Packer
> Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=63801 >
>
> On Mon Dec 20 07:51:04 2010, [email protected] wrote:
>> On Mon, Dec 20, 2010 at 12:28 PM, Alexander Ost via RT
>>> 3/ it seems that PAR tries to put some file into the cache at a later
>>> point during the program's lifetime
>>
>> Correct. Some stuff will only be extracted on demand.
>
> I just verified that (as suspected) this breaks any script that changes its
> effective
> uid during runtime, because it leads to ownership clashes in the cache
> directory.
>
> No matter if the change is due to setuid or because of some the script itself
> changes
> the id.
>
> So... is there
> a) any way to "request" that the whole archive is extracted *completely* into
> the cache?
> or
> b) what would you think about a solution where all cache entry access (esp
> writing) is
> ONLY done with the real user id, not the effective user id?
Try installing Archive::Unzip::Burst on the dev machine. If it succeeds, it
will be packed into the executable and everything will be extracted on the
first invocation.
Roderich's concerns, however, remain valid. a setuid pp'd executable is not
guaranteed safe.\
Best regards,
Steffen
