Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

eval $fh while setuid...

by PsychoSpunk (Hermit)
on Aug 03, 2001 at 20:07 UTC ( [id://102022]=perlquestion: print w/replies, xml ) Need Help??

PsychoSpunk has asked for the wisdom of the Perl Monks concerning the following question:

I have a script that needs to run with the setuid bit on since it ends up writing to the file that eval can't evaluate. The script is securely accessed, so immediate security concerns regarding setuid should be allayed. Further, I'm not giving it super user power, just simple owner of the file power.

The script is run through a web browser and therefore starts life off with $< = getpwnam(nobody)[2] (not actually written but here for those of you needing a refresher on unix calls).

Anyway, here's the code that fails and the error message: 

sub _read_config {
    my $fh = FileHandle->new("Config_filename", "r");
    eval <$fh>;
    die "Config_filename improperly formatted:\n$@" if ($@);
    $fh->close();
}

[download]
Insecure dependency in eval while running setuid at ../Tools/CSSconfig
+.pm line 38, <GEN0> line 1.
Compilation failed in require at ../Tools.pm line 15, <GEN0> line1.
BEGIN failed -- compilation aborted at ../Tools.pm line 15.
Compilation failed in require at /home/PsychoSpunk/public_html/cgi-bin
+/Tools/saveconfig.cgi line 7.
BEGIN failed -- compilation aborted at /home/PsychoSpunk/public_html/c
+gi-bin/Tools/saveconfig.cgi line 7.

[download]

The script itself is setuid, while my modules aren't. Would this be the cause of the adverse effect reported in my error_log file? Or is there something more insidious at play here? Of course, use strict and -w are in effect, and I did try placing the eval in a block with no strict; These efforts just moved the line numbers for the error.

Thanks for any advice. /msg me if you have questions.

ALL HAIL BRAK!!!

Replies are listed 'Best First'.
Re: eval $fh while setuid...
by chipmunk (Parson) on Aug 03, 2001 at 20:20 UTC
    The first place to turn when you want to understand a Perl diagnostic message is the perldiag documentation. For this error, it tells us: 
           Insecure dependency in %s
           (F) You tried to do something that the tainting
           mechanism didn't like.  The tainting mechanism is
           turned on when you're running setuid or setgid, or
           when you specify -T to turn it on explicitly.  The
           tainting mechanism labels all data that's derived
           directly or indirectly from the user, who is
           considered to be unworthy of your trust.  If any such
           data is used in a "dangerous" operation, you get this
           error.  See the perlsec manpage for more information.

    [download]
    So, this code is reading in tainted data, and then trying to eval it. That's possibly very dangerous, so Perl doesn't let you do it.

    I'm not sure whether this is module is something you've written... If you really want to stick with the eval approach, you can untaint the data before you eval it. (See perlsec for how to untaint data.)

    However, it would be better if this config file were stored in a way that didn't require being evaled. For example, it could use one of the config modules from CPAN.

[reply]
[d/l]
      Thanks chipmunk,

      /me forgets the little things sometimes.

      I took your advice and reviewed all the links you provided. The real reason I hadn't thought about the config modules in CPAN was because I am using Data::Dumper to create the config file in the first place, also from within the web browser so that I don't have to go and muck with the file at all and I should be relatively guaranteed that it's valid perl (as long as it stays safely out of the evil hands of others). Thus, I figured that reading it in via eval would be a perfectly decent solution.

      ALL HAIL BRAK!!!

[reply]
Re: eval $fh while setuid...
by melguin (Pilgrim) on Aug 03, 2001 at 22:54 UTC
    Perhaps something like the following would work: 
    sub _read_config {
    my $tainted_fh = FileHandle->new("Config_filename", "r");
    if ($tainted_fh -~ /^(.+)$/) { my $fh = $1 }
    eval <$fh>;
    die "Config_filename improperly formatted:\n$@" if ($@);
    $fh->close();
}

    [download]
    NOTE: leaving the "/^(.+)$/" like that is BAD, BAD, BAD. Make it more specific.

[reply]
[d/l]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://102022]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (5)
As of 2024-04-24 22:17 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found