HERE documents and setuid programs 
Author Message
 HERE documents and setuid programs


Quote:
> Dear All,

> I wonder if you can help me ... I am trying to run a perl script which
> calls the system command rwall which in turn uses the concept of HERE
> documents as its input.  Also the perl script is a setuid so it has to
> avoid taintness.  In my program I have tried something like:


> # This is not tainted but rwall thinks that <<-END is another machine


> # This is tainted .. gives Insecure dependency



You have at least two problems:  How to call the rwall program, and
how to make it taint-safe.  Don't try to solve both at once, first
get the call right and worry about the setuid problem later.

First of all, are you sure you want to call the program via exec?
A call to exec is always the last thing your program does: exec doesn't
return to the calling program.  If you don't want that, you need
system() instead.

Further, you seem to assume that Perl's here-document feature provides
input (via stdin) to an external program.  Not so.  In Perl, a here-
document is just a way to provide a string.  What happens to the string
is the responsibility of the programmer.  I won't go into details of
here-documents because it isn't the right tool for the purpose.

The standard way in Perl to provide input to an external program is
via open():


    print RWALL "This is a warning\n";
    close RWALL or die "Error running rwall";

Anno



Sun, 16 May 2004 12:08:34 GMT  
 HERE documents and setuid programs


Quote:
>which calls the system command rwall which in turn uses the concept of
>HERE documents as its input.

No, it does not.

The rwall command uses the concept of reading from STDIN until EOF.

The examples of how to run rwall from the shell may show how to use the
shell's concept of HERE documents when writing a shell script, but
that's not the only way of providing STDIN to a program.

For instance,
        head /etc/motd | rwall remote_host      # Using Unix shell
or
        $msg = "A multi-line\n message\n";

          open RW,"|/usr/bin/rwall $_" and print RW $msg and close RW;
        }

                -Joe
--
See http://www.inwap.com/ for PDP-10 and "ReBoot" pages.



Mon, 17 May 2004 11:34:12 GMT  
 
 [ 2 post ] 

 Relevant Pages 

1. Problem: setuid script calling program that forks (I think :)

2. Q: Making secure dependencies in setuid programs?

3. compiler-a3: problem with setuid perl program

4. perlembed in setuid programs

5. setuid wrapper program for perl4 script...

6. embedded perl, perl_parse and setuid programs

7. Can't run sybperl program as setuid

8. setuid program

9. Newbie: perl program in a ksh here-document

10. Document a PERL program

11. POD Question: Self Documenting Programs Not Supported?

12. how to call one program through another program and capture the out put of another program

 

 
Powered by phpBB® Forum Software