Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Perl Misc (http://www.velocityreviews.com/forums/f67-perl-misc.html)
-   -   Messing with UID's and GID's (http://www.velocityreviews.com/forums/t869823-messing-with-uids-and-gids.html)

Dave Ardrey 06-30-2003 02:06 PM

Messing with UID's and GID's
 
I am trying to write a program that will write to a log file every
time it is called. However, I don't want everyone to have write
access to the log file, so I made the log file have the same owner as
the script and set the permissions on the script to 6755 (setting the
uid and gid bits).

The problem is that when the permissions are set and I'm running as a
different user, it doesn't like doing system calls(gives me an error).
So I set the effective uid and gid to be the real uid and gid until I
need them to be different but now when I try and do a system call I
get this error:

Insecure $ENV{PATH} while running with -T switch at /dev/fd/3 line
102.


Any ideas what can be done about this? I know it's probably just as
much of a UNIX question than a perl one. I hope that's ok.

Thanks for your help.

Greg Bacon 06-30-2003 02:52 PM

Re: Messing with UID's and GID's
 
In article <20de6cd6.0306300606.597f9dd9@posting.google.com >,
Dave Ardrey <dew814@aol.com> wrote:

: [...]
:
: The problem is that when the permissions are set and I'm running as a
: different user, it doesn't like doing system calls(gives me an error).
: So I set the effective uid and gid to be the real uid and gid until I
: need them to be different but now when I try and do a system call I
: get this error:
:
: Insecure $ENV{PATH} while running with -T switch at /dev/fd/3 line
: 102.

Right. When perl sees that it's running setuid, it goes into taint
mode. See the perlsec manpage for the full details.

The quick fix is to follow this advice from the perlrun manpage:

$ENV{PATH} = '/bin:/usr/bin'; # or whatever you need
$ENV{SHELL} = '/bin/sh' if exists $ENV{SHELL};
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};

I *strongly* encourage you to read the perlsec manpage if you're
planning to write and run setuid Perl programs.

: Any ideas what can be done about this? I know it's probably just as
: much of a UNIX question than a perl one. I hope that's ok.

Why not follow the syslog model, i.e., have another program listen
at some rendezvous point such as a named pipe or socket (either Unix
or network domain) for log entries? That way, you don't have to bother
with setuid games: the logging process would run as the owner of the
log file.

Greg
--
WARNING: Do NOT calculate Pi in binary. It is conjectured that this number
is normal, meaning that it contains ALL finite bit strings. [...] Some of
the files on my PC are intensely personal, and I for one don't want you
snooping through a copy of them. -- Keith F. Lynch in comp.risks


All times are GMT. The time now is 04:36 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.