eval $fh while setuid...

PsychoSpunk has asked for the wisdom of the Perl Monks concerning the following question:

I have a script that needs to run with the setuid bit on since it ends up writing to the file that eval can't evaluate. The script is securely accessed, so immediate security concerns regarding setuid should be allayed. Further, I'm not giving it super user power, just simple owner of the file power.

The script is run through a web browser and therefore starts life off with $< = getpwnam(nobody)[2] (not actually written but here for those of you needing a refresher on unix calls).

Anyway, here's the code that fails and the error message:

sub _read_config {
    my $fh = FileHandle->new("Config_filename", "r");
    eval <$fh>;
    die "Config_filename improperly formatted:\n$@" if ($@);
    $fh->close();
}
[download]

Insecure dependency in eval while running setuid at ../Tools/CSSconfig
+.pm line 38, <GEN0> line 1.
Compilation failed in require at ../Tools.pm line 15, <GEN0> line1.
BEGIN failed -- compilation aborted at ../Tools.pm line 15.
Compilation failed in require at /home/PsychoSpunk/public_html/cgi-bin
+/Tools/saveconfig.cgi line 7.
BEGIN failed -- compilation aborted at /home/PsychoSpunk/public_html/c
+gi-bin/Tools/saveconfig.cgi line 7.
[download]

The script itself is setuid, while my modules aren't. Would this be the cause of the adverse effect reported in my error_log file? Or is there something more insidious at play here? Of course, use strict and -w are in effect, and I did try placing the eval in a block with no strict; These efforts just moved the line numbers for the error.

Thanks for any advice. /msg me if you have questions.

ALL HAIL BRAK!!!

Comment on eval $fh while setuid... Select or Download Code

Replies are listed 'Best First'.
Re: eval $fh while setuid... by chipmunk (Parson) on Aug 03, 2001 at 20:20 UTC
The first place to turn when you want to understand a Perl diagnostic message is the perldiag documentation. For this error, it tells us: `Insecure dependency in %s (F) You tried to do something that the tainting mechanism didn't like. The tainting mechanism is turned on when you're running setuid or setgid, or when you specify -T to turn it on explicitly. The tainting mechanism labels all data that's derived directly or indirectly from the user, who is considered to be unworthy of your trust. If any such data is used in a "dangerous" operation, you get this error. See the perlsec manpage for more information.` [download] So, this code is reading in tainted data, and then trying to eval it. That's possibly very dangerous, so Perl doesn't let you do it. I'm not sure whether this is module is something you've written... If you really want to stick with the eval approach, you can untaint the data before you eval it. (See perlsec for how to untaint data.) However, it would be better if this config file were stored in a way that didn't require being evaled. For example, it could use one of the config modules from CPAN.	[reply] [d/l]
Re: Re: eval $fh while setuid... by PsychoSpunk (Hermit) on Aug 04, 2001 at 00:17 UTC
Thanks chipmunk, /me forgets the little things sometimes. I took your advice and reviewed all the links you provided. The real reason I hadn't thought about the config modules in CPAN was because I am using Data::Dumper to create the config file in the first place, also from within the web browser so that I don't have to go and muck with the file at all and I should be relatively guaranteed that it's valid perl (as long as it stays safely out of the evil hands of others). Thus, I figured that reading it in via eval would be a perfectly decent solution. ALL HAIL BRAK!!!	[reply]
Re: eval $fh while setuid... by melguin (Pilgrim) on Aug 03, 2001 at 22:54 UTC
Perhaps something like the following would work: `sub _read_config { my $tainted_fh = FileHandle->new("Config_filename", "r"); if ($tainted_fh -~ /^(.+)$/) { my $fh = $1 } eval <$fh>; die "Config_filename improperly formatted:\n$@" if ($@); $fh->close(); }` [download] NOTE: leaving the "/^(.+)$/" like that is BAD, BAD, BAD. Make it more specific.	[reply] [d/l]