setuid script "insecure dependency..." error

C

ct

Hi,

I am using a setuid script. Inside the script I need to get a path
from a user defined environment variable and then append the executable
to that path and then issue the system command to execute it.

I won't know the path beforehand so I cannot use regular expression to
"untaint" it.

Any advise regarding how to get around it?

Thanks,
CT
 
R

Randal L. Schwartz

ct> I am using a setuid script. Inside the script I need to get a path
ct> from a user defined environment variable and then append the executable
ct> to that path and then issue the system command to execute it.

ct> I won't know the path beforehand so I cannot use regular expression to
ct> "untaint" it.

So, you're letting me give you a arbitrary path to an executable, and then
you're running it as the setuid user?

Are you nuts?

This error is doing precisely what it should do... preventing you from being
harmed.

ct> Any advise regarding how to get around it?

Get a book on computer security. Learn why this is a nutty thing to do.

print "Just another Perl hacker,"; # the original

--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<[email protected]> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
*** Free account sponsored by SecureIX.com ***
*** Encrypt your Internet usage with a free VPN account from http://www.SecureIX.com ***
 
E

Eric Schwartz

ct said:
I am using a setuid script. Inside the script I need to get a path
from a user defined environment variable and then append the executable
to that path and then issue the system command to execute it.

I won't know the path beforehand so I cannot use regular expression to
"untaint" it.

Any advise regarding how to get around it?
Click to expand...

You're running a program setuid that invokes another program you have
no control over? Sounds like perl is warning you of exactly the
problem you have. I'm assuming (perhaps unwisely) that you have some
way of determining if a program is safe to be invoked by your script--
If so, then you should consider requiring they be installed in a known
location by a system administrator.

If you're just running a random program setuid, then you might as well
just untaint the path with /./, because you're throwing away any benefit
that tainting is giving you in the first place.

-=Eric
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Perl IPC::open use in a setuid program 2
Perl with setuid enabled 3
setuid script - require failing 0
Insecure operation 1
Help untaining the command. Insecure dependency in `` ... setuid 0
No -e allowed in setuid scripts? 3
Get await function in loop to finish before script ends 0
Insecure dependency in unlink while running with -T switch 3

Members online

Total: 46 (members: 3, guests: 43)
Robots: 338

Forum statistics

Threads
473,755
Messages
2,569,537
Members
45,022
Latest member
MaybelleMa

Latest Threads

Top