in reply to Error using -T...

powerhouse,

Are you trying to setgid or setuid? There are a few ways possible to get this particular error message.
Why not show us the code? We may be able to offer better assistance.

Kristofer Hoch

Si vos can lego is, vos es super erudio

Replies are listed 'Best First'.
Re: Error using -T...
by powerhouse (Friar) on May 31, 2003 at 19:58 UTC
    here is the code: 
    $Page_Dir = "/home/some/backend/pagez";
$pg = $in{pg};
$pg = "home" if !$pg;
    if (-e "$Page_Dir/$pg.conf") {
        require "$Page_Dir/$pg.conf";
    }
($page_content,$title) .= run_page_mill($pg);
# above line checks the database for the
# page title and content

    [download]
    That is the only part appearing to give me any trouble...
    I think I might be calling the content too late, I might have to call it BEFORE the functions, so that the require will already have the page content.

    thx,
    Richard
[reply]
[d/l]

      Where did the values in your hash %in come from? I they came into the program from an external source (as is implied by the name:) then they will be tainted and you will need to un-taint them before your can use them as part of the filename you supply to require.

      The theory goes that as require is nothing but a sophisticated eval, then the 'bad guy' can place his evil requirements in a file /home/some/backend/pagez/wicked.conf, supply the name 'wicked' to your program and and you will run whatever bad stuff he puts in there.

      Examine what is said, not who speaks.
      "Efficiency is intelligent laziness." -David Dunham
      "When I'm working on a problem, I never think about beauty. I think only how to solve the problem. But when I have finished, if the solution is not beautiful, I know it is wrong." -Richard Buckminster Fuller


[reply]
[d/l]
[select]
        %in is from CGI.pm 
        ReadParse(\%in);

        [download]
        using cgi-lib

        How could they put wicked.conf in there, without knowing my password to the server? I have logged in under different accounts and tried to create files into it, and modify them using Shell, but I can only view them, if I change them, when I go to save them, I get a permission denied. I don't have world write to it either.

        So I guess I just don't understand how they could write to that location. If they have my username and password to the server, then they can change anything anyways.

        I am interested in hearing more if you know more :o)

        Thanks,
        Richard
[reply]
[d/l]
      I'm no expert on this sort of thing, but given the circumstances, I would prefer to do it as follows: 
      # assume $Page_Dir assigned as per your post
opendir CONF, $Page_Dir;
my @conf_files = grep /\.conf$/, readdir( CONF );
closedir CONF;

($pg) = grep /^$in{pg}.conf$/, @conf_files;
if ( $pg ) {
    require "$Page_Dir/$pg";
}
...

      [download]
      The point here is that the "require" statement is based entirely on information that is internal to the server -- input from a cgi form is only used to decide which known file name is being passed to "require" -- if user input does not match a safe, untainted string, it cannot have any bad side-effect.
[reply]
[d/l]

In Section Seekers of Perl Wisdom