Re^2: shell redirect CGI failure

I've discovered that I'm actually bouncing into a Perl security issue. I got past the last problem by calling perl with -TUw, this way the script should run but error on tainted data. Here's the error:

Running {/usr/bin/rsh case3 /usr/sbin/ping n0s30243.dnilab.cs.boeing.c
+om 5 &|}
[Tue Sep 11 09:01:13 2007] 7: Insecure dependency in piped open while 
+running setgid at /dev/fd/7 line 195.
[download]

I'm trying to make sure the data is untainted:

    #--------------------- untaint the shell command -----------------
+------------------------#
    # --- untaint the $nnm argument
    if ($nnm !~ /([a-z]+ms1.[nkth][sxev].(cs.)?boeing.com)/ && $nnm !~
+ /(^case3.*)/)
    {
        print h3("NNM tainted: $nnm\n");
        die;
    }
    $nnm = $1;
    # --- untaint the $command argument
    unless ($command =~ /^[\w\s.\-\/]+$/  )  ##/^([-\@\w.]+)$/) ### #=
+~ m#^([\w\.\-/]+)$#)
    {
        print h3("command tainted: $command");
        print li($1);
        print li($2);
        print li($3);
        print li("$4\n");
        die;
    }
    $command = $1;
    # --- untaint the $debug argument
    unless ($debug =~ m#^([\w\.\-/]+)$#)
    {
        die h3("debug tainted: $debug\n");
    }
   $debug = $1;
      #---------------------------------------------------------------
+--------------------------#


    open(RSH, $cmd ) || die "Failed to run {$cmd}: $!";
    while (<RSH>)
    {
        $result .= "$_\n";
        push( @lines, $_ );
    }
    close(RSH);

    if ( $debug ) { print hr; print br; print i("Result: {" . $result 
+. "}"); }
    print br( "Lines returned: (" . @lines . ")" );
    print Dumper( @lines );
    print br,"------------", p;
[download]

I've also added logic that should secure the environment for perl:

# redirect stderror to screen
BEGIN {
   use CGI::Carp qw(carpout);
   carpout(\*STDOUT);
}

# Turn off output buffering
$|=1;

delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
#delete $ENV{'PATH'},$ENV{'IFS'}, $ENV{'CDPATH'}, $ENV{'BASH_ENV'};
$ENV{'PATH'} = '/usr/bin;/usr/sbin';

# Set real UID to effective UID (dncms instead of oracle) so that rsh 
+works
$< = $>;

# Verify script is setuid by checking that dncnms is executing
my $uid = getpwnam('dncms');
if ($< != $uid)
{
    die "Error - $0 must be run as dncms $uid $<\n";
}
[download]

As for the '&', that's for the shell to run the command in the background and the '|' should return the result to the perl script.

Comment on Re^2: shell redirect CGI failure Select or Download Code

Replies are listed 'Best First'.
Re^3: shell redirect CGI failure by ikegami (Patriarch) on Sep 11, 2007 at 16:19 UTC
As for the '&', that's for the shell to run the command in the background Again, why? That shell is never going to run anything but `rsh`, so why run `rsh` "in the background"? At best, it does nothing. At worse, the shell exits before `rsh` does and you can't collect the info from `rsh` and the remote process. In fact, I think a shell won't even get loaded without the `&` because the command contains no shell meta characters. So at best, `&` slows down the program and hides the PID of `rsh`.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re^3: shell redirect CGI failure
by ikegami (Patriarch) on Sep 11, 2007 at 16:19 UTC

As for the '&', that's for the shell to run the command in the background

Again, why? That shell is never going to run anything but rsh, so why run rsh "in the background"? At best, it does nothing. At worse, the shell exits before rsh does and you can't collect the info from rsh and the remote process.

In fact, I think a shell won't even get loaded without the & because the command contains no shell meta characters. So at best, & slows down the program and hides the PID of rsh.

[reply]
[d/l]
[select]