Home > Archive > PERL CGI Beginners > August 2005 > Insecure setuid?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Christopher G Tantalo 2005-08-09, 8:59 am |
| =0D=0ACan anyone shed some light on what this error means?=0D=0A Insecure $=
ENV{PATH} while running setuid at=0D=0A/var/appl/sls/bin/driver=2Epl line 1=
104=2E=0D=0ALine 1104 is=0D=0A print `date`;=0D=0A=0D=0AIf I comment=
this out, then the following error message appears:=0D=0A Insecure depende=
ncy in open while running setuid at=0D=0A/var/appl/sls/bin/driver=2Epl line=
1249=2E=0D=0ALine 1249 is=0D=0A my $err_file =3D $ENV{"SLS_LOG_PATH=
"} =2E "/drivererror" =2E $rt_id =2E=2E=0D=0A"=2Eerr";=0D=0Aactually 1249 -=
--> open(ERR_FILE,">>$err_file") ||die "cannot open=0D=0A$err_file for=
reading:$!";=0D=0A=0D=0ANot sure what insecure warnings mean in terms of s=
etuid=2E Any answer=0D=0Awould be much appreciated=2E=0D=0AThanks=0D=0AChr=
is=0D=0A-----------------------------------------------=0D=0AJust Your Frie=
ndly Neighborhood=0D=0A_SPIDEY_=0D=0A=0D=0A--------------------------------=
---------=0D=0AThe information contained in this message may be privileged,=
=0D=0Aconfidential, and protected from disclosure=2E If the reader of this=
=0D=0Amessage is not the intended recipient, or any employee or agent=0D=0A=
responsible for delivering this message to the intended recipient, you=0D=
=0Aare hereby notified that any dissemination, distribution, or copying of=
=0D=0Athis communication is strictly prohibited=2E If you have received thi=
s=0D=0Acommunication in error, please notify us immediately by replying to =
the=0D=0Amessage and deleting it from your computer=2E=0D=0A=0D=0AThank you=
=2E Paychex, Inc=2E=0D=0A
| |
| Wiggins d'Anconia 2005-08-09, 4:59 pm |
| Tantalo, Christopher G wrote:
> Can anyone shed some light on what this error means?
> Insecure $ENV{PATH} while running setuid at
> /var/appl/sls/bin/driver.pl line 1104.
> Line 1104 is
> print `date`;
>
You shouldn't shell out to date anyways, especially in the above manner
with no error checking, etc. Perl has builtin functions for collecting
date information.
> If I comment this out, then the following error message appears:
> Insecure dependency in open while running setuid at
> /var/appl/sls/bin/driver.pl line 1249.
> Line 1249 is
> my $err_file = $ENV{"SLS_LOG_PATH"} . "/drivererror" . $rt_id ..
> ".err";
> actually 1249 ---> open(ERR_FILE,">>$err_file") ||die "cannot open
> $err_file for reading:$!";
>
> Not sure what insecure warnings mean in terms of setuid. Any answer
> would be much appreciated.
> Thanks
> Chris
Because you are running setuid the taint mechanism is on. See,
perldoc perlsec
For more info. Whenever you have an error/warning you don't understand
that was thrown by Perl you can find more info in:
perldoc perldiag
HTH,
http://danconia.org
| |
| Christopher G Tantalo 2005-08-09, 4:59 pm |
| Ok, the date issue I can solve using the built in date functionality=2E=0D=
=0A=0D=0AThe second issue, I am trying to see if the data is untainted by u=
sing=0D=0A=0D=0A my $err_file =3D $ENV{"SLS_LOG_PATH"} =2E "/drivere=
rror" =2E $rt_id =2E=2E=0D=0A"=2Eerr";=0D=0A if ($err_file =3D~ /^([=
-\@\w=2E]+)$/) {=0D=0A $err_file =3D $1; # $err_=
file now untainted=0D=0A } else {=0D=0A die "Bad data=
in '$err_file'"; # log this somewhere=0D=0A }=0D=0A=0D=0ABut t=
his falls into the else section and the message =0D=0A Bad data in '/var/ap=
pl/sls/log/drivererror1757=2Eerr' at=0D=0A/var/appl/sls/bin/driver=2Epl lin=
e 1256=0D=0Agets printed out=2E=0D=0A=0D=0AAccording to the documention, th=
is should clear up the issue, but I am=0D=0Aunsuccessful so far=2E=0D=0AChr=
is=0D=0A=0D=0A-----------------------------------------------=0D=0AJust You=
r Friendly Neighborhood=0D=0A_SPIDEY_=0D=0A =0D=0A=0D=0A> -----Original Mes=
sage-----=0D=0A> From: Wiggins d'Anconia [mailto:wiggins@danconia=2Eorg] =
=0D=0A> Sent: Tuesday, August 09, 2005 11:20 AM=0D=0A> To: Tantalo, Christo=
pher G=0D=0A> Cc: beginners-cgi@perl=2Eorg=0D=0A> Subject: Re: Insecure set=
uid?=0D=0A> =0D=0A> Tantalo, Christopher G wrote:=0D=0A> > Can anyone shed =
some light on what this error means?=0D=0A> > Insecure $ENV{PATH} while ru=
nning setuid at =0D=0A> > /var/appl/sls/bin/driver=2Epl line 1104=2E=0D=0A>=
> Line 1104 is=0D=0A> > print `date`;=0D=0A> > =0D=0A> =0D=0A> You=
shouldn't shell out to date anyways, especially in the =0D=0A> above manne=
r with no error checking, etc=2E Perl has builtin =0D=0A> functions for col=
lecting date information=2E=0D=0A> =0D=0A> > If I comment this out, then th=
e following error message appears:=0D=0A> > Insecure dependency in open wh=
ile running setuid at =0D=0A> > /var/appl/sls/bin/driver=2Epl line 1249=2E=
=0D=0A> > Line 1249 is=0D=0A> > my $err_file =3D $ENV{"SLS_LOG_PATH=
"} =2E =0D=0A> "/drivererror" =2E $rt_id =2E=2E=0D=0A> > "=2Eerr";=0D=0A> >=
actually 1249 ---> open(ERR_FILE,">>$err_file") ||die =0D=0A> "cannot=
open=0D=0A> > $err_file for reading:$!";=0D=0A> > =0D=0A> > Not sure what =
insecure warnings mean in terms of setuid=2E =0D=0A> Any answer =0D=0A> > =
would be much appreciated=2E=0D=0A> > Thanks=0D=0A> > Chris=0D=0A> =0D=0A> =
Because you are running setuid the taint mechanism is on=2E See,=0D=0A> =0D=
=0A> perldoc perlsec=0D=0A> =0D=0A> For more info=2E Whenever you have an e=
rror/warning you don't =0D=0A> understand that was thrown by Perl you can f=
ind more info in:=0D=0A> =0D=0A> perldoc perldiag=0D=0A> =0D=0A> HTH,=0D=0A=
> =0D=0A> http://danconia=2Eorg=0D=0A> =0D=0A> --=0D=0A> To unsubscribe, e-=
mail: beginners-cgi-unsubscribe@perl=2Eorg=0D=0A> For additional commands, =
e-mail: beginners-cgi-help@perl=2Eorg =0D=0A> <http://learn=2Eperl=2Eorg/> =
<http://learn=2Eperl=2Eorg/first-response>=0D=0A> =0D=0A> =0D=0A> =0D=0A=0D=
=0A-----------------------------------------=0D=0AThe information contained=
in this message may be privileged,=0D=0Aconfidential, and protected from d=
isclosure=2E If the reader of this=0D=0Amessage is not the intended recipie=
nt, or any employee or agent=0D=0Aresponsible for delivering this message t=
o the intended recipient, you=0D=0Aare hereby notified that any disseminati=
on, distribution, or copying of=0D=0Athis communication is strictly prohibi=
ted=2E If you have received this=0D=0Acommunication in error, please notify=
us immediately by replying to the=0D=0Amessage and deleting it from your c=
omputer=2E=0D=0A=0D=0AThank you=2E Paychex, Inc=2E=0D=0A
| |
| Christopher G Tantalo 2005-08-16, 5:00 pm |
| Well, I seemed to have cleaned up my insecure errors, and now get a
LOCATION: connected
ERROR: install_driver(Oracle) failed: Can't load
'/opt/perl5/lib/site_perl/5.8.5/PA-RISC2.0-LP64/auto/DBD/Oracle/Oracle.s
l' for module DBD::Oracle: No such file or directory at
/opt/perl5/lib/5.8.5/PA-RISC2.0-LP64/DynaLoader.pm line 230.
at (eval 10) line 3
Compilation failed in require at (eval 10) line 3.
Perhaps a required shared library or dll isn't installed where expected
at /var/appl/sls/bin/driver.pl line 142
I am thinking it has to be a permissions issue, but can not for the life
of me, figure it out. Mainly because this was working 2 months ago,
until the security group here changed some things on our unix box, and
now things don't run from the command line.
Basically, the flow of the program should be:
Prog_launch.pl --> inserts a record into a table (this part works)
--> updates it to set off a trigger (this part works)
Perl_trg.trg --> resides on database, and uses a java stored
procedure to=20
execute a command line to run code on a
different machine
using another perl program as the driver (this
part works)
Driver.pl --> fails on the connect to database (used to work
before security mucked with machine)
I have checked permissions for Oracle.sl libraries, and made sure the
LD_LIBRARY_PATH and PATh are set correctly, but still no luck.
Is there something obvious I am overlooking?
-----------------------------------------------
Just Your Friendly Neighborhood
_SPIDEY_
=20
> -----Original Message-----
> From: Tantalo, Christopher G=20
> Sent: Tuesday, August 09, 2005 11:25 AM
> To: Wiggins d'Anconia
> Cc: beginners-cgi@perl.org
> Subject: RE: Insecure setuid?
>=20
> Ok, the date issue I can solve using the built in date functionality.
>=20
> The second issue, I am trying to see if the data is untainted by using
>=20
> my $err_file =3D $ENV{"SLS_LOG_PATH"} . "/drivererror"=20
> . $rt_id ..
> ".err";
> if ($err_file =3D~ /^([-\@\w.]+)$/) {
> $err_file =3D $1; # $err_file now =
untainted
> } else {
> die "Bad data in '$err_file'"; # log=20
> this somewhere
> }
>=20
> But this falls into the else section and the message=20
> Bad data in '/var/appl/sls/log/drivererror1757.err' at=20
> /var/appl/sls/bin/driver.pl line 1256 gets printed out.
>=20
> According to the documention, this should clear up the issue,=20
> but I am unsuccessful so far.
> Chris
>=20
> -----------------------------------------------
> Just Your Friendly Neighborhood
> _SPIDEY_
> =20
>=20
> understand=20
>=20
> -----------------------------------------
> The information contained in this message may be privileged,=20
> confidential, and protected from disclosure. If the reader of=20
> this message is not the intended recipient, or any employee=20
> or agent responsible for delivering this message to the=20
> intended recipient, you are hereby notified that any=20
> dissemination, distribution, or copying of this communication=20
> is strictly prohibited. If you have received this=20
> communication in error, please notify us immediately by=20
> replying to the message and deleting it from your computer.
>=20
> Thank you. Paychex, Inc.
>=20
>=20
> --
> To unsubscribe, e-mail: beginners-cgi-unsubscribe@perl.org
> For additional commands, e-mail: beginners-cgi-help@perl.org=20
> <http://learn.perl.org/> <http://learn.perl.org/first-response>
>=20
>=20
>=20
|
|
|
|
|