Perl CGI script running as root is unable to do rm, chmod and su

Wed, 16 Jul 2008 12:50:20 -0700 

Hi!
I'm trying make one script (script1) call another script (script2) and have the output from script2 returned. My initial problem was that script2 needs to be executed as root, so I've set the setuid and setgid bit on script1 (script2 unchanged): 

-rwsrwsrwx   1 root     bin          207 Jul 16 14:19 script1
-rwxrwxr-x   1 root     1060        5648 Jul 16 14:20 script2


However, when script2 is executed rm, su and chmod fails and 
/var/apache/logs/error_log shows:


rm: /tmp/script2.sql not removed: Permission denied
chmod: WARNING: can't change /tmp/status.pl.sql
su: Sorry



I suspect that Perl runs in taint mode and I've readup on it but I'm still 
unable to get this to work.


Any help would be highly appreciated.

Best Regards,
Jimisola




The files below slightly obfuscated for privacy reason (changed name of files 
and some variables).


script1:

#!/usr/bin/perl
##
print "Content-type: text/plain\n\n";
$ENV{PATH} = "/bin:/usr/bin";
print "USER: ", `whoami`;
print `script2`;



script2:

#!/bin/perl
$ENV{PATH} = "/bin:/usr/bin";
print "USER in script2: ", `whoami`;

$|=1;
$sql_file="/tmp/script2.sql";
$FLAG=0;
$i=0;
if (@ARGV !=0) {
        for ($j=0;$j<=$#ARGV;$j++) {
                &check_arg($ARGV[$j]);
                &usage if ((@cont > 1) || ($FLAG > 1));
        }
}
$user="user";
$passwd="password";

$msg_query=join(" or ",@msg_query);
$recip_query=join(" or ",@recip_query);
$state=join(",",@state);

system "/bin/rm $sql_file > /dev/null";

open (SQL,">$sql_file") || die "Could not open $sql_file\n";
print SQL "set linesize 200;\n";
print SQL "set pagesize 0;\n";
print SQL "colum recip_addr format a30;\n";
print SQL "colum status format a12;\n";
print SQL "colum msg_date format 99999999999999999999999999999999;\n";
print SQL "colum notif_time format 99999999999999999999999999999999;\n";

print SQL "select r.recip_addr , r.message_id, r.recipient_id, r.code, 
m.msg_date, r.notif_time, r.state, r.status \n";

print SQL "from recipient_tbl r, message_tbl m\n";
print SQL "where r.message_id=m.message_id\n";
print SQL "and state in ($state)\n" if ($state ne "");
if ($msg_query ne "") {
        print SQL "and ($msg_query)\n"
}
if ($recip_query ne "") {
        print SQL "and ($recip_query)\n"
}

print SQL "order by r.message_id;\n";
print SQL ";\n";
print SQL "exit;\n";
close(SQL);
system "chmod 755 $sql_file > /dev/null";



if (@cont == 0) {
        &query;
}
else {
        while (1) {
                &query;
                sleep $cont[0];
        }
}


sub query {

        open (OUTPUT, "su - oracle -cf 'source .profile; sqlplus $user/$passwd 
[EMAIL PROTECTED]'|") || die "Can open SQL\n";
print "Recipient Address (Recip_addr) Message_ID Recipient_ID Code   Msg_Date 
         NT State Status\n";
print "------------------------------ ---------- ------------ ------ 
------------------- -- ----- ----------\n";

$count=0;
while (<OUTPUT>) {
chop;
@col= split (/\s+/,$_);
next if (!((@col == 7) || (@col == 8)));
next if (($col[1] =~ /\D/) || ($col[2] =~ /\D/) || ($col[5] =~ /\D/) || ($_ eq 
""));
if ($col[4] == $col[5] ) {
        $NT="S";
} else {
        $NT="D";
}

$m_date=$col[4]/1000;
$unix_time=time();
($sec,$min,$hr,$day,$mon,$yr,$wday,$yday,$isdst)=localtime($m_date);
$year=$yr+1900;
$month=$mon+1;

printf ("%-30s %-10d %-12s %-6d %04d/%02d/%02d-%02d:%02d:%02d %-2s %5d 
%-10s\n",$col[0],$col[1],$col[2],$col[3], $year,$month,$day, 
$hr,$min,$sec,$NT,$col[6],$col[7]);

$count++;
}
print "\nNo. of matching rows   : $count\n";
$q_date=`date '+20%y/%m/%d-%H:%M:%S'`;
print "Query Date             : $q_date";

print 
"=====================================================================================================\n\n";

}



sub check_arg {
        local ($arg)[EMAIL PROTECTED];
        local (@arg,@val);
        &usage if ($arg !~ /\=/ );
        @arg=split (/=/,$arg);

        &usage if (($arg[1] eq "") || !(($arg[0] eq "state") || ($arg[0] eq 
"msg") || ($arg[0] eq "cont") || ($arg[0] eq "recip")));

        @val=split(/,/,$arg[1]);
        if ($arg[0] eq "msg") {
                foreach $x (@val) {
                        push (@msg_query, "r.message_id like '%$x%'");
                }
                $msg_query=join(" or ",@msg_query);
                $FLAG++;
        }
        if ($arg[0] eq "recip") {
                foreach $x (@val) {
                        push (@recip_query, "recip_addr like '%$x%'");
                }
                $recip_query=join(" or ",@recip_query);
                $FLAG++;
        }
        if ($arg[0] eq "state") {
                foreach $x (@val) {
                        push (@state, "$x");
                }
                $FLAG++;
        }
        if ($arg[0] eq "cont") {
                foreach $x (@val) {
                        push (@cont, "$x");
                }
        }
        &usage if ((@cont > 1) || ((@msg_query >= 1) && (@recip_query >=1)));
        &usage if ((@cont == 1) && ($cont[0] <= 0));
}


sub usage {
...
}


--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
http://learn.perl.org/
























					Reply via email to