On 28 April 2010 09:45, David Lee <david....@ecmwf.int> wrote:
> Briefly:
Hi,
Unfortunately I can't offer you any inspired way to open that port.
> I have tried to put as much as reasonably possible of the application into
> local CPAN-like modules, with just the initial C wrapper and small perl
> script outside that framework. So that is:
> user-called "appname": setuid-C-wrapper in PATH
> setuid-C-wrapper: "execv(...)" of similarly named small script
> that script does various "use MODULE-1"
>
> The problem:
>
> Although written in a CPAN-like way, the application and its modules are
> installed in a "/usr/local/<application>" which is external to the main perl
> installation on the various systems. When run non-setuid it works well
> (apart from an expected failure opening the reserved port). Fine.
>
> But when run via the C-wrapper, the small perl script ("els.qx") immediately
> fails:
> Insecure dependency in require while running setuid at \
> /usr/local/ecfs/test/.scripts/els.qx line 49.
> BEGIN failed--compilation aborted at \
> /usr/local/ecfs/test/.scripts/els.qx line 49.
>
> That line 49 is the first of the local "use MODULE::NAME" commands. Just
> above this is:
> use FindBin;
> use lib "$FindBin::Bin/..";
> so that those "MODULE::NAME" things can be found. These modules belong to
> the application so are not in the perl installation's '@INC'.
>
> Question: How do I proceed?
Would perlsec help?[1] I'm asking because it looks to me like taint
checks are on so every path you use will need to be un-tainted before
it's used. I'm not if it would improve matters to explicitly import
$Bin from FindBin, EG:
use FindBin qw($Bin);
use lib qq($Bin/../);
If not I'd guess you will need to launder the $FindBin::Bin before you
use it and that would probably have to happen in a BEGIN block.[2]
Good luck,
Dp.
1) perldoc perlsec.
2) perldoc perlmod.
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
