Hi Stas, thanks for your reply.
I've forgotten to mention it, but I have already tried
BEGIN {
delete @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)};
$ENV{PATH} = '/bin:/usr/bin';
}
And also the values '' and '/' for $ENV{PATH}.
Unfortunately the error message when I'm sending mail with
my $sendmail = Mail::Mailer->new();
unless ($sendmail->open({From => $owner,
To => join(', ', sort keys %DEFAULT_PERSONS),
Cc => join(', ', sort keys %inform_persons),
Subject => 'Taskit',
'X-Sender-Host' => $client,
})) {
print "<H1>Cannot send mail ($!)</H1>\n";
goto END;
};
print $sendmail $text;
$sendmail->close();
Stays the same:
Apache::StatINC: process 4933 reloading Taskit.pm.
[Fri Apr 30 09:54:49 2004] [error] Insecure $ENV{PATH} while running with -T switch at
/nokia/apps/tww/@sys/perl580p/lib/5.8.0/Mail/Mailer/sendmail.pm line 16.
The Apache 1.3.27 runs as ccm_root and thus shouldn't
be able to overwrite these directories:
boccm01:lib {133} ls -ld /bin
lrwxrwxrwx 1 root root 9 Jul 6 1999 /bin -> ./usr/bin
boccm01:lib {134} ls -ld /usr/bin
drwxr-xr-x 4 root bin 9216 Apr 1 12:23 /usr/bin
boccm01:lib {136} ls -ld /
drwxr-xr-x 37 root root 1024 Dec 18 15:45 /
I'll try to install Apache::Reload but wonder,
why do you suggest it...
Regards
Alex
> -----Original Message-----
> From: ext Stas Bekman [mailto:[EMAIL PROTECTED]
>
> [EMAIL PROTECTED] wrote:
> >
> > on the top of my mod_perl 1 script I have:
> >
> > package Taskit;
> >
> > BEGIN {
> > delete @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)};
> > }
> >
> > use Apache;
> > use Apache::Constants qw(OK);
> > use Apache::Request;
> > use Net::LDAP;
> > use Mail::Mailer qw(sendmail);
> > use GSCM::CCM::Session;
> > use Data::Dumper;
> > use strict;
> >
> > And still I get this error in the error_log:
> >
> > Apache::StatINC: process 4585 reloading Taskit.pm.
> > [Thu Apr 29 15:13:53 2004] [error] Insecure $ENV{PATH}
> while running with -T switch at
> /nokia/apps/tww/@sys/perl580p/lib/5.8.0/Mail/Mailer/sendmail.p
> m line 16.
> >
> > Is it some kind of mod_perl quirk? I thought
> > delete-ing $ENV{PATH} would help me with that error?
>
> The perlsec manpage suggests to set it, not delete it:
>
> $ENV{'PATH'} = '/bin:/usr/bin';
> delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
> ...
> For "Insecure $ENV{PATH}" messages, you need to set
> $ENV{'PATH'} to a
> known value, and each directory in the path must be
> non-writable by
> others than its owner and group. You may be
> surprised to get this mes-
> sage even if the pathname to your executable is fully
> qualified. This
> is not generated because you didn't supply a full
> path to the program;
> instead, it's generated because you never set your
> PATH environment
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> variable, or you didn't set it to something that was
> safe. Because
> Perl can't guarantee that the executable in question
> isn't itself going
> to turn around and execute some other program that is
> dependent on your
> PATH, it makes sure you set the PATH.
>
> so when you delete it, it's if it has never been set. Though
> admittedly this works for me on linux:
>
> % perl -Tle 'delete @ENV{qw(PATH BASH_ENV)}; qx|echo horray!|'
>
> So it probably varies from OS to OS.
>
> But now looking again at your output, it doesn't happen during the normal
> load, but only after reload, right? Any difference with setting PATH
> explicitly as the manpage suggests? Any difference if you use
> Apache::Reload instead of StatINC?
--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html
