.Inline dir readonly

Tue, 29 Jan 2019 04:16:19 -0800 


Hello,

We're using Inline-C in a Perl CGI-engine to connect to a C-written
shared library (libblow.so) for decrypting strings with BlowFish (to obfuscate 
the
details and the used key). This is delivered to a production environment
as:

# ls -ld /usr/local/sisis-pap/lib/.Inline
drwxr-xr-x 4 bin bin 4096 Jan 25 12:32 /usr/local/sisis-pap/lib/.Inline
# find /usr/local/sisis-pap/lib/.Inline                                         
       
/usr/local/sisis-pap/lib/.Inline
/usr/local/sisis-pap/lib/.Inline/config-x86_64-linux-thread-multi-5.026002
/usr/local/sisis-pap/lib/.Inline/lib
/usr/local/sisis-pap/lib/.Inline/lib/auto
/usr/local/sisis-pap/lib/.Inline/lib/auto/SisisAdminInstall_pl_64f0
/usr/local/sisis-pap/lib/.Inline/lib/auto/SisisAdminInstall_pl_64f0/SisisAdminInstall_pl_64f0.inl
/usr/local/sisis-pap/lib/.Inline/lib/auto/SisisAdminInstall_pl_64f0/SisisAdminInstall_pl_64f0.so
/usr/local/sisis-pap/lib/.Inline/lib/auto/SisisAdmin_64f0
/usr/local/sisis-pap/lib/.Inline/lib/auto/SisisAdmin_64f0/SisisAdmin_64f0.inl
/usr/local/sisis-pap/lib/.Inline/lib/auto/SisisAdmin_64f0/SisisAdmin_64f0.so
/usr/local/sisis-pap/lib/.Inline/build
/usr/local/sisis-pap/lib/.Inline/.lock

# ldd
# 
/usr/local/sisis-pap/lib/.Inline/lib/auto/SisisAdminInstall_pl_64f0/SisisAdminInstall_pl_64f0.so
        linux-vdso.so.1 (0x00007ffc223fb000)
        libblow.so => /usr/local/sisis-pap/lib/libblow.so (0x00007efdeb377000)
        libssl.so.1.1 => /usr/local/sisis-pap/lib/libssl.so.1.1 
(0x00007efdeb109000)
        ...

and works just fine. Note: the things below .Inline are there and not
compiled on the flight on first use of the Inline-C code.

The only problem is, that the dir .Inline must be writeable by the
apache-process which runs as 'nobody'. This is checked in Inline.pm as:

#==============================================================================
# Find the 'Inline' directory to use.
#==============================================================================
my $TEMP_DIR;
sub find_temp_dir {
    return $TEMP_DIR if $TEMP_DIR;

    my ($temp_dir, $home, $bin, $cwd, $env);
    $temp_dir = '';
    $env = $ENV{PERL_INLINE_DIRECTORY} || '';
    $home = $ENV{HOME} ? abs_path($ENV{HOME}) : '';

    if ($env and
        -d $env and
        -w $env) {
        $temp_dir = $env;
    }
    ...

Why is the check '-w $env' made there, at the beginning? Of course, if 
something really
must be compiled, it must be writable, but not in any use case, like
ours.

        matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
October, 7 -- The GDR was different: Peace instead of Bundeswehr and wars, 
Druschba
instead of Nazis, to live instead of to survive.

Reply via email to