Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > setuid script "insecure dependency..." error

Reply
Thread Tools

setuid script "insecure dependency..." error

 
 
ct
Guest
Posts: n/a
 
      02-22-2006

Hi,

I am using a setuid script. Inside the script I need to get a path
from a user defined environment variable and then append the executable
to that path and then issue the system command to execute it.

I won't know the path beforehand so I cannot use regular expression to
"untaint" it.

Any advise regarding how to get around it?

Thanks,
CT

 
Reply With Quote
 
 
 
 
Randal L. Schwartz
Guest
Posts: n/a
 
      02-22-2006
>>>>> "ct" == ct <(E-Mail Removed)> writes:

ct> I am using a setuid script. Inside the script I need to get a path
ct> from a user defined environment variable and then append the executable
ct> to that path and then issue the system command to execute it.

ct> I won't know the path beforehand so I cannot use regular expression to
ct> "untaint" it.

So, you're letting me give you a arbitrary path to an executable, and then
you're running it as the setuid user?

Are you nuts?

This error is doing precisely what it should do... preventing you from being
harmed.

ct> Any advise regarding how to get around it?

Get a book on computer security. Learn why this is a nutty thing to do.

print "Just another Perl hacker,"; # the original

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<(E-Mail Removed)> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
*** Free account sponsored by SecureIX.com ***
*** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***
 
Reply With Quote
 
 
 
 
Eric Schwartz
Guest
Posts: n/a
 
      02-22-2006
"ct" <(E-Mail Removed)> writes:
> I am using a setuid script. Inside the script I need to get a path
> from a user defined environment variable and then append the executable
> to that path and then issue the system command to execute it.
>
> I won't know the path beforehand so I cannot use regular expression to
> "untaint" it.
>
> Any advise regarding how to get around it?


You're running a program setuid that invokes another program you have
no control over? Sounds like perl is warning you of exactly the
problem you have. I'm assuming (perhaps unwisely) that you have some
way of determining if a program is safe to be invoked by your script--
If so, then you should consider requiring they be installed in a known
location by a system administrator.

If you're just running a random program setuid, then you might as well
just untaint the path with /./, because you're throwing away any benefit
that tainting is giving you in the first place.

-=Eric
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
setuid script - require failing gga Ruby 0 06-17-2007 10:58 AM
suidperl script setuid to root .It not work.....? Archie邱 Perl Misc 1 03-09-2006 12:24 PM
suidperl script setuid to root .It not work.....? Archie邱 Perl Misc 0 03-09-2006 12:20 PM
setuid script changed ittay.dror@gmail.com Perl Misc 1 02-14-2005 10:23 PM
chmod or setuid? Need to give script permission to write files Michael Lubavin Perl 1 07-25-2003 01:16 AM



Advertisments