Once the permissions of the script are u=rwx,g=rwx,o=r the scripts works all right... However, I want the setuid bit to become switched on therefore the call to smartctl returns the preferred data rather than a mistake.


use strict;
use warnings;
use CGI qw(:standard);

my $device = param("device") || "sda";

print header("text/plain");

print "device = $device\n\n";

$ENV{"PATH"} = "/usr/sbin";
open( PS, "smartctl -A /dev/$device |" );
while( <PS> )
    print $_ . "\n";
close( PS );

After I set the permission to u=rwxs,g=rwxs,o=r, the script works once the query doesn't specify device. However when device is specified, nothing will get came back after print "device = $device\n\n";

You have to consider the configuration of Perl.

perl -MConfig -e 'print "d_suidsafe = $Configu{d_suidsafe}\n"; }'

Whether it does not say anything (nothing visible following the =), then Perl was told to think about SUID scripts as unsafe. It goodies them differently from regular scripts. Look into the 'taint' system (-T command line option) too it will warn concerning the 'script injection' problem pointed out below.

Coding suggestions:

  1. Make use of the three-argument type of open.
  2. Make sure that the open been successful.

Such as this:

open my $PS, "-|", "smartctl -A /dev/$device"
  or die "Could not popen smartctl: $!";

Well, most likely not die, but report the mistake cleanly and do not make use of the unopened file handle.

if (open my $PS, "-|", "smartctl -A /dev/$device")
    while (<$PS>)
        print "$_\n";
    close $PS;
    print "Failed to open device: $!";

Note you need to reject or sanitize the input of the individual who authored: sda; cp /bin/sh /tmp/...; chmod 6777 /tmp/... within the device parameter area. It's a little like SQL injection, only this time around, it's 'Perl script injection'. They could be more brutal than that: sda; rm -fr / 2>/dev/null & does a reasonably good job of cleaning up the machine of files and sites that the user to whom the script is setuid can modify. You cannot trust customers an inch at the very best of occasions. Inside a setuid program, having faith in the customers whatsoever is really a serious issue. All that doubly (otherwise multiply) then when the access comes from a internet browser.