Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: rhel-10.2
Affects Version/s: rhel-8.10, rhel-9.6, rhel-10.0
Component/s: perl
Labels:
None

Regression:
No
Severity:
Critical
Keywords:

ZStream

AssignedTeam:
rhel-stacks-services-scripting
Sub-System Group:

ssg_core_services

Story Points:
0
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Products:

Red Hat Enterprise Linux
Sprint:
None
Release Blocker:
Approved Blocker
Target Backport Versions:

rhel-8.10.z, rhel-9.7

Preliminary Testing:
None
Test Coverage:
None

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
PX Impact Range:
PX Priority Data:
PX Review Complete:
PX Scheduling Request:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

When executing a perl script under sudo and sudo has a line to verify the checksum, then the $0 is reported as /dev/fd/6 instead of script being interpreted, which is expected. However resolving the file descriptor doesn't work because the file descriptor got closed already early by perl interpreter, as shown in the example below.

perl script `/usr/local/bin/script.pl`

#!/usr/bin/perl

use strict;
use warnings;

use Cwd qw( abs_path );

print "\$0: $0\n";
print "abs_path(\$0): " . abs_path($0) . "\n";

configure sudo to verify the checksum

# echo "user ALL=NOPASSWD: sha256:$(sha256sum /usr/local/bin/script.pl)" > /etc/sudoers.d/user

execute the script under sudo

(user) $ sudo /usr/local/bin/script.pl
$0: /dev/fd/6
abs_path($0): /proc/9839/fd/6

Having /dev/fd/6 is expected because sudo makes use of execveat() to execute the script, instead of "regular" execve(), as seen with stracing:

9837  12:51:09.752045 execve("/usr/bin/sudo", ["sudo", "/usr/local/bin/script.pl"], ...
 :
9839  12:51:09.794910 execveat(6</usr/local/bin/script.pl>, "", ["/usr/local/bin/script.pl"], ..., AT_EMPTY_PATH) = 0
 :

However, internally, as soon as Perl starts, the file descriptor gets closed, causing abs_path() to not be resolvable into the script name:

 :
9839  12:51:09.799366 read(6</usr/local/bin/script.pl>, "#!/usr/bin/perl\n\nuse strict;\nuse warnings;\n\nuse Cwd qw( abs_path );\n\nprint \"\\$0: $0\\n\";\nprint \"abs_path(\\$0): \" . abs_path($0) . \"\\n\";\n", 8192) = 135 <0.000006>
9839  12:51:09.805321 read(6</usr/local/bin/script.pl>, "", 8192) = 0 <0.000008>
9839  12:51:09.805344 close(6</usr/local/bin/script.pl>) = 0 <0.000007>
 :
9839  12:51:09.805383 write(1</dev/pts/0<char 136:0>>, "$0: /dev/fd/6\n", 14) = 14 <0.000116>
9839  12:51:09.805814 write(1</dev/pts/0<char 136:0>>, "abs_path($0): /proc/9839/fd/6\n", 30) = 30 <0.000033>

Due to this bug/limitation inside Perl, it's impossible to know which script is currently executing.

links to

Related KCS providing a workaround

Assignee:: Michal Josef Spacek

Reporter:: Renaud Métrich

Need Info From:: Mason Loring Bliss

Developer:: perl-maint-list

QA Contact:: Martin Kyral

Votes:: 0 Vote for this issue

Watchers:: 15 Start watching this issue

Created:: 2025/05/20 11:00 AM

Updated:: 2025/10/09 11:28 PM

Stale Date:: 2026/10/02

Details

Description

perl script /usr/local/bin/script.pl

configure sudo to verify the checksum

execute the script under sudo

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide

perl script `/usr/local/bin/script.pl`