setuid script "insecure dependency..." error

Discussion in 'Perl Misc' started by ct, Feb 22, 2006.

  1. ct

    ct Guest

    Hi,

    I am using a setuid script. Inside the script I need to get a path
    from a user defined environment variable and then append the executable
    to that path and then issue the system command to execute it.

    I won't know the path beforehand so I cannot use regular expression to
    "untaint" it.

    Any advise regarding how to get around it?

    Thanks,
    CT
     
    ct, Feb 22, 2006
    #1
    1. Advertising

  2. >>>>> "ct" == ct <> writes:

    ct> I am using a setuid script. Inside the script I need to get a path
    ct> from a user defined environment variable and then append the executable
    ct> to that path and then issue the system command to execute it.

    ct> I won't know the path beforehand so I cannot use regular expression to
    ct> "untaint" it.

    So, you're letting me give you a arbitrary path to an executable, and then
    you're running it as the setuid user?

    Are you nuts?

    This error is doing precisely what it should do... preventing you from being
    harmed.

    ct> Any advise regarding how to get around it?

    Get a book on computer security. Learn why this is a nutty thing to do.

    print "Just another Perl hacker,"; # the original

    --
    Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
    <> <URL:http://www.stonehenge.com/merlyn/>
    Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
    See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
    *** Free account sponsored by SecureIX.com ***
    *** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***
     
    Randal L. Schwartz, Feb 22, 2006
    #2
    1. Advertising

  3. "ct" <> writes:
    > I am using a setuid script. Inside the script I need to get a path
    > from a user defined environment variable and then append the executable
    > to that path and then issue the system command to execute it.
    >
    > I won't know the path beforehand so I cannot use regular expression to
    > "untaint" it.
    >
    > Any advise regarding how to get around it?


    You're running a program setuid that invokes another program you have
    no control over? Sounds like perl is warning you of exactly the
    problem you have. I'm assuming (perhaps unwisely) that you have some
    way of determining if a program is safe to be invoked by your script--
    If so, then you should consider requiring they be installed in a known
    location by a system administrator.

    If you're just running a random program setuid, then you might as well
    just untaint the path with /./, because you're throwing away any benefit
    that tainting is giving you in the first place.

    -=Eric
     
    Eric Schwartz, Feb 22, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Lubavin
    Replies:
    1
    Views:
    3,081
    Steve Grazzini
    Jul 25, 2003
  2. danpres2k
    Replies:
    0
    Views:
    1,476
    danpres2k
    Aug 13, 2003
  3. gga
    Replies:
    0
    Views:
    151
  4. Regent
    Replies:
    3
    Views:
    403
    John W. Krahn
    Apr 24, 2004
  5. kskkaf
    Replies:
    2
    Views:
    143
    kskkaf
    Jul 3, 2004
Loading...

Share This Page