whollycow has asked for the wisdom of the Perl Monks concerning the following question:

I've written a script to convert some data files into a new format but when I run the script it tells me "Setuid/gid script is writable by world". I've tried to eliminate taint but I'm still getting the problem. Where am I missing the taint in my code? 
#! /usr/bin/perl
use File::Copy;

################################################
#                                              #
# program to convert old pdb files to a usable #
# format.                                      #
#                                              #
################################################

foreach my $pdb (@ARGV) {
    if ($pdb =~ /(.+?).pdb$/ && -e $pdb) {
        $pdb = $1;
#        $pdb = substr($pdb, 0, -4);
        open(IN, "<$pdb.pdb");
        open(OUT, ">$pdb.tmp");
        while(<IN>) {
            if ($_ =~ /^\S+\s+\d+\s+(\D)/) {
                my $line = $_;
                chomp($line);
                print OUT "$line           $1\n";
            }
            else {
                print OUT $_;
            }
        }
        close(IN);
        close(OUT);
        move("$pdb.pdb", "$pdb.pdb.old");
        move("$pdb.tmp", "$pdb.pdb");
        print "converted $pdb.pdb. the old file has been saved as $pdb
+.pdb.old\n";
    }
    elsif (! -e $pdb) {
        print "file $pdb does not appear to exist\n";
    }
    else {
        print "file $pdb is not a .pdb file or there was an unknown er
+ror\n";
    }
}

[download]

Replies are listed 'Best First'.
Re: Need help getting rid of taint
by graff (Chancellor) on May 14, 2009 at 03:00 UTC
    Setuid/gid script is writable by world

    If you do "ls -l path/name_of_your_script", you will probably see something like this at the beginning of the line of output from "ls": 

    rwxrwxrwx ...

    [download]
    The error message is telling you that the ability to modify or rewrite the content of your script is available to everyone who has a login account on your particular host (or network, if the "path/" to your script happens to be on a network-accessible disk volume).

    That's a major no-no for any process that involves setuid. Use "chmod" to limit write access to owner-only (not group and not other).

    While you're at it, you should limit write permission on the directory that contains the script file in question -- even when the file itself is "rwxr-xr-x", having group and/or other write permission on the directory it's in allows anyone to delete or rename the file, and thereafter, put in some other file with the same name. (I don't know whether taint checking complains about permissions on the directory -- in any case, you should be concerned about that.)

[reply]
[d/l]
      OK. I understand the permission problem, but unfortunately I'm running this script on a cifs-mounted server share and the client doesn't pick up permissions properly. That is, my machine thinks the file has world read/write even though the server only allows r/w to the owner.

      So I guess my question ultimately is can I tell perl to ignore the ownership and just run the damn thing?
[reply]

        Copy it elsewhere, fix the permission bits, run it. Otherwise perl won't let you, and for good. But you should really get that broken client/server setup fixed.

[reply]
Re: Need help getting rid of taint
by JavaFan (Canon) on May 13, 2009 at 22:44 UTC
    Where am I missing the taint in my code?
    Taint is enabled if your program is setuid or setgid.

    And Perl is saving your ass by refusing to run a setuid/setgid program anyone may have modified.

[reply]
      So, I guess I'm not sure I understand setuid. The script had worked just fine until Centos updated to 5.3 and now it has stopped working. From what I've gleaned online, you can still run a setuid script if you clean any outside information (in my case, the arguments passed with the script). That's what I thought I had done but apparently that's not all there is to it. What else needs to be done?
[reply]
        What else needs to be done?
        What part of Setuid/gid script is writable by world is unclear to you? And what part of the explaination in man perldiag do you not understand?
[reply]
Re: Need help getting rid of taint
by Anonymous Monk on May 14, 2009 at 04:52 UTC
[reply]

Back to Seekers of Perl Wisdom