Insecure dependency in chmod while running setuid

ak4good has asked for the wisdom of the Perl Monks concerning the following question:

Hello,

Total beginner here. I need a cgi script to run as root to recursively change file permissions. I slapped something together from examples, but Apache complains:

Insecure dependency in chmod while running setuid at /var/www/cgi-bin/
+set-perms.pl line 13., referer: https://example.com/cgi-bin/
[download]

This is the script:

#!/usr/bin/perl -wT

BEGIN {
  $ENV{PATH} = "";
}

use strict;
use File::Find;
$|++;

my $baseDir  = "/var/www/test/";
my $modeFile = oct(664);
my $modeDir  = oct(2775);

sub setperms {
  chmod($modeFile, $_) if(-f $_);  <------/line 13/
  chmod($modeDir, $_)  if(-d $_);
  chown(-1, 1005, $_);
}

find(\&setperms, "$baseDir");
[download]

Please help... :(

Comment on Insecure dependency in chmod while running setuid Select or Download Code

Replies are listed 'Best First'.
Re: Insecure dependency in chmod while running setuid by Corion (Patriarch) on Jun 12, 2009 at 08:25 UTC
I think the results you get from File::Find are tainted. This is good as you don't want to have unexpected filenames and don't want to change them to (even) 664. Also, operating on `$_` works, but I prefer operating on `$File::Find::name`, as having absolute filenames is much better in error messages. I would look at perlsec and do something like the following: `sub setperms { my $fn = $File::Find::name; my $untained_fn; my $mode; if ($fn =~ m!^(\Q$baseDir\E([/\w.]+)\z!) { $untainted_fn = $1; $mode = 0664; } else { $fn =~ m!^(.*)$!; $untainted_fn = $1; $mode = 0000; warn "File name '$untainted_fn' does not match criteria, setti +ng mode to 0."; }; chmod($untained_fn,$mode) or die "Couldn't change '$untainted_fn' +to $mode: $!"; };` [download] Also, you should really, really consider whether you want to have any script that runs as `root` accessible from the outside of your computer. I recommend having that script run from a cron job and having as the CGI program a program that just appends filenames to a list.	[reply] [d/l] [select]
Re^2: Insecure dependency in chmod while running setuid by afoken (Chancellor) on Jun 12, 2009 at 09:06 UTC
File::Find has `untaint`, `untaint_pattern`, and `untaint_skip` options for this purpose. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l] [select]
Re^2: Insecure dependency in chmod while running setuid by ak4good (Initiate) on Jun 13, 2009 at 04:18 UTC
Yes, I really, really didn't like the idea of running a CGI script as root. What I decided to do in the end was to just give users sudo rights to run the permission fixing shell script. I think that's good enough. No complaints so far. :P	[reply]
Re: Insecure dependency in chmod while running setuid by JavaFan (Canon) on Jun 12, 2009 at 09:47 UTC
Why bother with Perl? Something like: `#!/usr/bin/sh TOPDIR="/var/www/test" find $TOPDIR -type f -print0 \| xargs -0 chmod 664 find $TOPDIR -type d -print0 \| xargs -0 chmod 2775 chown -R -1:1005 $TOPDIR` [download] ought to do the trick.	[reply] [d/l]
Re: Insecure dependency in chmod while running setuid by tweetiepooh (Hermit) on Jun 12, 2009 at 11:08 UTC
On a tangental note. Don't you use privilege separation on your Apache? On my Apache 2.2 although root starts Apache (needed for port 80) it spawns processes under a non root account and that account then is the owner of Perl scripts that are executed.	[reply]
Re^2: Insecure dependency in chmod while running setuid by ak4good (Initiate) on Jun 13, 2009 at 04:11 UTC
Yes, Apache on my machine executes cgi scripts as the Apache user, hence the need for setuid to do stuff that the Apache user doesn't have permissions for.	[reply]