in reply to shell redirect CGI failure

I'm very confused by the &. Is that supposed to be there?

Replies are listed 'Best First'.
Re^2: shell redirect CGI failure
by gryf (Novice) on Sep 11, 2007 at 16:10 UTC
    I've discovered that I'm actually bouncing into a Perl security issue. I got past the last problem by calling perl with -TUw, this way the script should run but error on tainted data. Here's the error: 
    Running {/usr/bin/rsh case3 /usr/sbin/ping n0s30243.dnilab.cs.boeing.c
+om 5 &|}
[Tue Sep 11 09:01:13 2007] 7: Insecure dependency in piped open while 
+running setgid at /dev/fd/7 line 195.

    [download]
    I'm trying to make sure the data is untainted: 
        #--------------------- untaint the shell command -----------------
+------------------------#
    # --- untaint the $nnm argument
    if ($nnm !~ /([a-z]+ms1.[nkth][sxev].(cs.)?boeing.com)/ && $nnm !~
+ /(^case3.*)/)
    {
        print h3("NNM tainted: $nnm\n");
        die;
    }
    $nnm = $1;
    # --- untaint the $command argument
    unless ($command =~ /^[\w\s.\-\/]+$/  )  ##/^([-\@\w.]+)$/) ### #=
+~ m#^([\w\.\-/]+)$#)
    {
        print h3("command tainted: $command");
        print li($1);
        print li($2);
        print li($3);
        print li("$4\n");
        die;
    }
    $command = $1;
    # --- untaint the $debug argument
    unless ($debug =~ m#^([\w\.\-/]+)$#)
    {
        die h3("debug tainted: $debug\n");
    }
   $debug = $1;
      #---------------------------------------------------------------
+--------------------------#


    open(RSH, $cmd ) || die "Failed to run {$cmd}: $!";
    while (<RSH>)
    {
        $result .= "$_\n";
        push( @lines, $_ );
    }
    close(RSH);

    if ( $debug ) { print hr; print br; print i("Result: {" . $result 
+. "}"); }
    print br( "Lines returned: (" . @lines . ")" );
    print Dumper( @lines );
    print br,"------------", p;

    [download]
    I've also added logic that should secure the environment for perl: 
    # redirect stderror to screen
BEGIN {
   use CGI::Carp qw(carpout);
   carpout(\*STDOUT);
}

# Turn off output buffering
$|=1;

delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
#delete $ENV{'PATH'},$ENV{'IFS'}, $ENV{'CDPATH'}, $ENV{'BASH_ENV'};
$ENV{'PATH'} = '/usr/bin;/usr/sbin';

# Set real UID to effective UID (dncms instead of oracle) so that rsh 
+works
$< = $>;

# Verify script is setuid by checking that dncnms is executing
my $uid = getpwnam('dncms');
if ($< != $uid)
{
    die "Error - $0 must be run as dncms $uid $<\n";
}

    [download]
    As for the '&', that's for the shell to run the command in the background and the '|' should return the result to the perl script.
[reply]
[d/l]
[select]

      As for the '&', that's for the shell to run the command in the background

      Again, why? That shell is never going to run anything but rsh, so why run rsh "in the background"? At best, it does nothing. At worse, the shell exits before rsh does and you can't collect the info from rsh and the remote process.

      In fact, I think a shell won't even get loaded without the & because the command contains no shell meta characters. So at best, & slows down the program and hides the PID of rsh.

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom