vancetech has asked for the wisdom of the Perl Monks concerning the following question:

I am writing a perl daemon on FreeBSD 5.4-RELEASE that pre-forks a number children and I am getting this tainted error when I'm not even using -T switch in my #!/usr/bin/perl line.

The daemon runs in root and gives this error only when I change the child users to an unprivileged work user. If I leave them as root, I don't get a tainted error.

Why is this?
  • Comment on Insecure dependency in connect while running with -T switch

Replies are listed 'Best First'.
Re: Insecure dependency in connect while running with -T switch
by dave_the_m (Monsignor) on Mar 10, 2006 at 10:52 UTC
    If the process has differing real and effective UIDs, then perl assumes you're running a setuid script and turns on tainting automatically. This may be what's happening to you; in which case, try changing both real and effective UIDs.

    Dave.

[reply]
Re: Insecure dependency in connect while running with -T switch
by martin (Friar) on Mar 10, 2006 at 13:26 UTC
    As dave_the_m pointed out, there are situations in which taint checks are automatically turned on.

    If you really must run without taint checks you can use the -U switch in the shebang line. However, these checks are a good help in most cases and a daemon like yours should probably turn them on explicitly.

    The error message you are getting reports a probably insecure use of tainted data, i.e. data passed from the outside into your program that has not been checked to be valid. Neglecting such checks may enable users to trick your program into performing actions you did not intend. This is especially dangerous in programs running with other privileges than the user who called them, which is why taint checks are turned on by default in setuid situations. See perlsec.

    Update: Technically, the -U switch does not actually turn taint checks off. Rather, it allows unsafe operations. You will still get taint warnings if you have turned on warnings.

[reply]

Back to Seekers of Perl Wisdom