setuid or setgid perl scripts don't work

This document (3436932) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 10

 

Situation

When trying to execute a perl script that has the setuid or setgid bit set (e.g. mode -rwsr-xr-x), execution of the script fails immediately with an ERROR:
Can't do seteuid!
or an ERROR:
Can't do setegid!

Resolution

To allow setuid or setgid perl scripts to work, the sperl binary needs to have the setuid bit set. To achieve this, proceed as follows:
  1. Identify the full name of the sperl binary:
    ls -l /usr/bin/sperl*
    e.g. for a SUSE Linux Enterprise 10 system, the sperl binary is/usr/bin/sperl5.8.8.
  2. Edit /etc/permissions.local and add the following lines:
    # sperl needs to be setuid in order for setuid/setgid
    # perl scripts to function.
    /usr/bin/sperl5.8.8 root.root 4755
    Replace sperl5.8.8 by the name of the sperl binary identified previously.
  3. Run
    SuSEconfig
    to effectuate the permissions change.
  4. Verify that the change was effectuated: Run
    ls -l /usr/bin/sperl*
    and check that the permissions field has the setuid bit sid (mode -rwsr-xr-x).

Additional Information

Background

The setuid and setgid bits on an executable (binary or script) instruct the system to try to run the executable with the permissions of the file owner/group, rather than of the invoking user/group. This way, the executable can perform operations outside the security container of the invoking user/group's rights.

For instance, even when a mail transfer agent's processes are running under a non-root user's privilege, they can invoke a mail delivery script owned by the root user which has the setuid bit set in order to deliver mail as files that are owned by the mail recipient's Unix user id and group.

As programming errors in or wrong ownership of setuid/setgid executables pose security risks and as support for setuid/setgid perl scripts is only needed on a minority of systems, SUSE products default to having support for setuid/setgid perl scripts disabled.

 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:3436932
  • Creation Date: 16-Jan-2008
  • Modified Date:04-Mar-2021
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center