From owner-freebsd-security Sat Jan 12 1:48: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from raven.robbins.dropbear.id.au (234.a.011.mel.iprimus.net.au [210.50.216.234]) by hub.freebsd.org (Postfix) with ESMTP id 83DA337B404 for ; Sat, 12 Jan 2002 01:48:00 -0800 (PST) Received: (from tim@localhost) by raven.robbins.dropbear.id.au (8.11.6/8.11.6) id g0C9i5Z00488 for freebsd-security@FreeBSD.ORG; Sat, 12 Jan 2002 20:44:05 +1100 (EST) (envelope-from tim) Date: Sat, 12 Jan 2002 20:44:04 +1100 From: "Tim J. Robbins" To: freebsd-security@FreeBSD.ORG Subject: Re: suidperl Message-ID: <20020112204404.A455@raven.robbins.dropbear.id.au> References: <077f01c19b41$7cf205a0$6500a8c0@halenet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <077f01c19b41$7cf205a0$6500a8c0@halenet.com.au>; from timbo@halenet.com.au on Sat, Jan 12, 2002 at 06:16:49PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jan 12, 2002 at 06:16:49PM +1000, list wrote: > Can anyone tell me what security issues there may be with enabling suidperl > and what the best way to achieve this would be? To enable suidperl, you can add "ENABLE_SUIDPERL=true" to /etc/make.conf (see /etc/defaults/make.conf) and rebuild. chmod u+s /usr/bin/suidperl will also work, but the suid bit will be dropped next rebuild. As for potential security issues.. it could expose you to a local root compromise; it's had problems in the past. The most notable example I can think of is this one (read the thread): http://docs.freebsd.org/cgi/getmsg.cgi?fetch=119124+0+archive/2000/freebsd-security/20000813.freebsd-security It turns out that FreeBSD was not vulnerable to that attack but illustrates that there are risks. Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message