EvanK has asked for the wisdom of the Perl Monks concerning the following question:

I'm attempting to optimize some legacy perl scripts written by a predecessor at my current job, and im getting some strange errors.
 
The script in question uses umask initially, and then executes a system command: 
umask(0002);
# ...lots of irrelevant code...
$val = `env VAR="blah" dbsearch`;

[download]
that command basically sets some environment vars (VAR, in the example) and then runs an executable (dbsearch, a home-made C program for a proprietary database)
 
when i run this script from the command line (as root) it runs fine, but when I run it through apache, it dies with "Insecure dependency in `` while running setuid at script.pl line 40"
 
i'm at a loss because i know next to nothing about setuid scripts (never had to use them), and would appreciate any help!

__________
Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
- Terry Pratchett

Replies are listed 'Best First'.
Re: setuid - insecure dependancy with backticked cmd?
by thor (Priest) on Apr 22, 2006 at 20:08 UTC
    To quote perldiag: 
    Insecure dependency in %s
           (F) You tried to do something that the tainting mechanism didn’t like.  The tainting mecha‐
           nism is turned on when you’re running setuid or setgid, or when you specify -T to turn it on
           explicitly.  The tainting mechanism labels all data that’s derived directly or indirectly
           from the user, who is considered to be unworthy of your trust.  If any such data is used in a
           "dangerous" operation, you get this error.  See perlsec for more information.
    I don't do a lot with tainting, but if memory serves, you have to explicitly set stuff like $ENV{PATH} to make sure that someone didn't sneak a directory in there that has a command in there called "env" that launches nukes or something. perlsec is recommended reading.

    thor

    The only easy day was yesterday

[reply]
Re: setuid - insecure dependancy with backticked cmd?
by derby (Abbot) on Apr 22, 2006 at 20:03 UTC

    What makes you believe the script is setuid? The umask is not affecting that at all. Your script is running in taint mode and your command and environment have not been properly de-tainted. Check out perlsec for details.

    -derby
[reply]
      i assumed the script is setuid because its giving a setuid error. i didnt realize it was running in taint mode!
       
      im not familiar with this runtime enviro, the previous sysadmin left on...less than friendly terms, so im having to pick up the pieces, heh. thanks!

      __________
      Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
      - Terry Pratchett

[reply]

        oops ... so sorry ... I missed the whole setuid portion of that error message. Really doesn't matter tho, the problem is with tainted data being used.

        -derby
[reply]

Back to Seekers of Perl Wisdom