Do I need a setuid script ?

katzuma has asked for the wisdom of the Perl Monks concerning the following question:

This one is a bit messy to explain but i've spent several hours on it without getting the point ...
I' ll try to describe the scenario:

The main script accepts some arguments and then creates a SWF (Macromedia Flash ) file in a world-writable folder .. This is mainly done using some powerful modules from cpan..(SWF:: / DATA::Temporary Bag / among others) so i'm not going to post the code.. Infact the program itself works. It works fine also triggered by a CGI script but only from the command line because, when in a browser, the system call that runs the mainscript returns an error ( log : Can't use an undefined value as a symbol reference at /Library/Perl/Data/TemporaryBag.pm line 202.)

Ok.. my question is : if it works from the command line is because the system knows it's me ($> ) and when in the browser the user is www.. So it's a permission issue with all the setuid consequences ?
I thougth it could be this because when triggered by a browser the program creates the SWF file anyway (which is chmoded 777) but the file is zero byte and it seems like the program can't write the binary stream into it. If i debug the process ( but i really don't know how to use the debugger) it seems that the problem occurs when the module tries to open a filehandle..

Bah...im really confused. I hope i gave enough informations to get some help thanks in advance
Katzuma

2001-12-10 Edit by Corion : Lowercased title and added formatting.

Comment on Do I need a setuid script ?

Replies are listed 'Best First'.
Re: Do I need a Setuid script? by dws (Chancellor) on Dec 10, 2001 at 04:33 UTC
"Can't use an undefined value as a symbol reference" is a runtime errors. There are lots of ways to cause a runtime error. Some relate to permissions, some don't. If you're able to create the SWF (even if it ends up empty), chances are good that you'll be able to complete the task without resorting to Setuid. Debugging 101 says to figure out what is undefined and why. It might help to do that before you starting throwing potential solutions around. If TemporaryBag.pm is one of yours, consider posting part of it. Lines 190-210 might be nice.	[reply]
Re: Do I need a setuid script ? by atcroft (Abbot) on Dec 10, 2001 at 09:32 UTC
This does not sound like an issue that would be resolved via making the script setuid. Without seeing the code, we can only speculate, and hope that something we post here helps you. As was already posted, it sounds like perhaps either an issue of something not being defined as expected, or going out of scope earlier than expected, or perhaps something different in the environment the webserver will use than from your normal environment (paths, etc.). Does the webserver have appropriate permissions on the directory to write a file to it? You mention that the SWF file is chmod'd 777-in general, this is a BAD thing (from a security standpoint, see also Security issues when allowing file upload via CGI, among other posts on that arena). I would seriously doubt that the generated file needs to be executable, so another permission might be a better (at worst, maybe 666). I hope this, and suggestions from the many monks much wiser than my lowly self, help you with this question.	[reply]
Re: Do I need a setuid script ? by fsn (Friar) on Dec 10, 2001 at 17:24 UTC
As other, more experienced, monks pointed out, permissions doesn't seem to be the problem since you actually created the file - something else is wrong. So i'm not going to dwelve into that... I would, instead, like to question the need for writing the file at all. You might have a very valid reason for actually writing the file to disc, but I would suggest creating the SWF file on the fly when it is requested, if possible. That way you can send the file directly to the browser without having to store it locally. Without knowing more about the nature of the cgi-script, I cannot tell if it is feasible. If the SWFfile is created from a single argument, like a textstring, I think you should consider this approach.	[reply]
Re: Re: Do I need a setuid script ? by Anonymous Monk on Dec 10, 2001 at 18:54 UTC
thanks for the suggestions and sorry if my question was kind of incomplete.. I was all about 'permission problem' cos during development i was getting some error-logs about that and also because of the 'command-line' success'.... Talking about creating the SWF on the fly ...i have to admit i don't even know how to start doing this... Do i print it to the browser?	[reply]
Re: Re: Re: Do I need a setuid script ? by fsn (Friar) on Apr 09, 2002 at 17:39 UTC
The short answer is that, yes, you just print to the browser. You must begin with a correct Content-type-header, then two linefeeds and then you print the SWF data to the browser. Something like print "Content-type: application/x-shockwave-flash\n\n"; print $SWFdata; would suffice as a really simple SWF-on-the-fly-generation-CGI- script. You get the picture. The part where you generate $SWFdata is obviously the non-trivial part, but you seem to have solved that already. If I remember correctly, there is a SWF-creation module that's perhaps worth checking out.	[reply]