Setuid Scripts...avoiding warnings 
Author Message
 Setuid Scripts...avoiding warnings

OK...I am greatful that Perl wished to protect me from doing unsecure setuid
things, but what if I want to do them anyway???  

Here's the story.  I am working on writing a perl script that needs to run
a base-64 encripted string (from a WWW browser) through a C program which
decodes the string and returns the username and password contained within
in the format

username
passwd

Here is the hunk-o-script I wave written to do this...

$tempUser = $ENV{"HTTP_AUTHORIZATION"};
open(DECODE64, "/usr/local/bin/decode64 \"$tempUser\"|");
$authUser = <DECODE64>;
chop $authUser;
$passwd = <DECODE64>;

This script is setuid root.  When I try to run this (on a Sparc 20 running
Solaris 2.4), I get the message

Insecure $ENV{PATH} while running setuid at /dev/fd/3 line 54.

Is there a way to convince Perl that I really do want to do this
regardless of the security issues.  For that matter, is there a way to do
this without the security hole (are there any libraries about to do base64
decoding?).

Any help would be greatly appriciated.

John

BTW...I'm using Perl 5.001l

--
---------------------------------------------------------------------
|John M. Sully                      | Freiberger Library Room 305   |

|Library Information Technologies   | phone: (216)368-8989          |
|Case Western Reserve University    | fax: (216)368-8720            |
|      WWW Homepage: http://www.*-*-*.com/ ;       |
---------------------------------------------------------------------



Mon, 24 Nov 1997 03:00:00 GMT  
 Setuid Scripts...avoiding warnings

] This script is setuid root.  When I try to run this (on a Sparc 20 running
] Solaris 2.4), I get the message
]
] Insecure $ENV{PATH} while running setuid at /dev/fd/3 line 54.

Do this-

set $ENV{PATH} explicitly in your script
make sure '.' is not in your path.

] Is there a way to convince Perl that I really do want to do this
] regardless of the security issues.  For that matter, is there a way to do
] this without the security hole?

In general, what taintperl complains about really _are_ security holes!
(but yes, it is annoying)

-yary



Mon, 01 Dec 1997 03:00:00 GMT  
 
 [ 2 post ] 

 Relevant Pages 

1. Alias::const: avoiding `used only once...' warning

2. Avoiding Perl warning "uninitialized value"

3. How to avoid warning with CGI.pm method?

4. avoiding "Use of uninitialized value..." warning

5. Using "fork" to avoid crashing script

6. warnings::register, no warnings, and inheritance

7. perl5 warnings (and not perl4 warnings)

8. No -e allowed in setuid scripts?

9. setuid *within* Perl script

10. Problem: setuid script calling program that forks (I think :)

11. setuid perl script questions

12. Problem with setuid scripts.

 

 
Powered by phpBB® Forum Software