kanabrian has asked for the wisdom of the Perl Monks concerning the following question:

There is a perl(cgi) script is intended to send which contains attachments which were previously stripped. It goes through all the e-mails residing in /attachments/new/. It searches through each e-mail for description: name of the receiver, date, sender, subject. It then prints these details so that admin/user has the ability to search or has the ability click on the check box beside the details and submit so that these emails then can be send to the destination. The problem that I am facing is that when I try to read the emails in /attachments/new/, I am faced with this error :
Can't open /attachments/new/ Permission denied at /usr/lib/attachmaster/cgi/testhtml2.cgi line 64.
So I reset my permission to my script appropriately. In that case, the script is able to open up the emails and read the files in the directory. However, when the check box is clicked and submitted, the following error message shows up:
Insecure $ENV{PATH} while running setuid at /usr/lib/attachmaster/cgi/testhtml2.cgi line 247.

Replies are listed 'Best First'.
Re: Insecure $ENV{PATH}
by joe++ (Friar) on Dec 10, 2002 at 16:35 UTC
    Apparently you made your script setuserid (under Solaris or the like, Linux doesn't let you IFAIK) and thus turned on Taint mode.

    Quick fix: explicitly set your env like this: 

    $ENV{PATH} = '/bin:/usr/bin:/opt/bin'; # adapt as necessary

    [download]
    HTH!

    --
    Cheers, Joe

[reply]
[d/l]
Re: Insecure $ENV{PATH}
by Anonymous Monk on Dec 10, 2002 at 17:14 UTC

    This is directly from perlsec which you should read immediately. There are other environment variables which must also be set so this snippet is only a teaser - there's more required reading.

    Cleaning Up Your Path

    For "Insecure "$ENV{PATH}"" messages, you need to set $ENV{'PATH'}" to a known value, and each directory in the path must be non-writable by others than its owner and group. You may be surprised to get this message even if the pathname to your executable is fully qualified. This is not generated because you didn't supply a full path to the program; instead, it's generated because you never set your PATH environment variable, or you didn't set it to something that was safe. Because Perl can't guarantee that the executable in question isn't itself going to turn around and execute some other program that is dependent on your PATH, it makes sure you set the PATH.

[reply]

Back to Seekers of Perl Wisdom