Re^2: Insecure dependency in open

It's the other way round. Set the real UID to the effective UID:

Either way, I still get exactly the same error. I find it odd that nothing effects this. I also added an if statement to print an error if setting the gid fails, and it doesn't.

You also didn't address the question on why it says "...while running with -T switch," even though I'm not. Actually, you said that because gid and egid are different, it's automatically turning it on. But, I intentionally have this option off. Shouldn't I be the one in control here? :-} So, why is it complaining?

Dan Heller
http://www.danheller.com

Comment on Re^2: Insecure dependency in open

Replies are listed 'Best First'.
Re^3: Insecure dependency in open by shmem (Chancellor) on Jan 21, 2007 at 22:08 UTC
In your OP you wrote I'm running a program that's sgid, and it has a command-line interpreter from which I can execute unix commands. Maybe you should set `$UID = $EUID` in that program? --shmem _($_=" "x(1<<5)."?\n".q·/)Oo. G°\ / /\_¯/(q / ---------------------------- \__(m.====·.(_("always off the crowd"))."· ");sub _{s./.($e="'Itrs `mnsgdq Gdbj O`qkdq")=~y/"-y/#-z/;$e.e && print}	[reply] [d/l]
Re^4: Insecure dependency in open by argv (Pilgrim) on Jan 21, 2007 at 22:11 UTC
Maybe you should set $UID = $EUID in that program? I don't have control over that program. (and it's besides the point; the question is a perl-related question, and should be answered assuming the user has no control over that program.) Dan Heller http://www.danheller.com	[reply]
Re^5: Insecure dependency in open by betterworld (Curate) on Jan 21, 2007 at 22:35 UTC
I think perl does in fact switch to taintedness if the program starts with different uid and euid. So if you cannot set the uid from the other program, maybe you would want to do something like this: `if ($UID != $EUID) { $UID=$EUID; exec($0, @ARGV); die $!; }` [download]	[reply] [d/l]