CGI/Perl Guide | Learning Center | Forums | Advertise | Login
Site Search: in

  Main Index MAIN
INDEX
Search Posts SEARCH
POSTS
Who's Online WHO'S
ONLINE
Log in LOG
IN

Home: Perl Programming Help: Advanced:
setuid causes "use" and "require" to fail, why? how to work around this?

 



tristan
New User

Jan 27, 2007, 1:56 AM

Post #1 of 3 (862 views)
setuid causes "use" and "require" to fail, why? how to work around this? Can't Post

i have a perlscript that is executed by procmail (as the result of processing a .procmailrc file via qmail), and on my system, this causes the perlscript to be run with setuid (in this case, "setuid popuser").

the problem is that when a perl script is run with setuid, apparently the security prevents the perlscript from including packages that are not in standard locations (using the "use" and "require" directives).

for example, i try to use the package AAA.pm located in /home/bbb/perl . if i put the following lines in my perlscript:

use lib ("/home/bbb/perl");
use AAA;

then i get:
Can't locate AAA.pm in @INC (@INC contains: /home/bbb/perl ...)

i ONLY get this error when the perlscript is run with setuid.

(even using the TAINT mode will not cause this problem - only setuid causes this error)

i spent hours with google looking for any hint, but found nothing.

how can i resolve this?

what are the restrictions for "use" and "require" when a perlscript is run in setuid?

how can i work around those restrictions?

thanks!

PS: using perl v5.8.8 on Linux 2.6.16.27-060907a


(This post was edited by tristan on Jan 27, 2007, 2:01 AM)


davorg
Thaumaturge / Moderator

Jan 29, 2007, 7:26 AM

Post #2 of 3 (852 views)
Re: [tristan] setuid causes "use" and "require" to fail, why? how to work around this? [In reply to] Can't Post

I'm not sure what is causing this problem. I do know that running a Perl program as setuid will automatically put it into taint mode and that in taint mode the current directory is removed from @INC.

You may get more clues by reading perlsec.

--
Dave Cross, Perl Hacker, Trainer and Writer
http://www.dave.org.uk/
Get more help at Perl Monks


tristan
New User

Jan 29, 2007, 12:57 PM

Post #3 of 3 (848 views)
Re: [davorg] setuid causes "use" and "require" to fail, why? how to work around this? [In reply to] Can't Post


In Reply To
I'm not sure what is causing this problem. I do know that running a Perl program as setuid will automatically put it into taint mode and that in taint mode the current directory is removed from @INC.

You may get more clues by reading perlsec.

thanks.

i know that, but the current directory "." is not in the include path @INC. so that's not the problem.

and it works when i manually set the script in TAINT mode using option -T, so setuid does something more that prevents including modules located in other directories (other than the standard @INC locations). but this does not seem to be documented anywhere.

 
 


Search for (options) Powered by Gossamer Forum v.1.2.0

Web Applications & Managed Hosting Powered by Gossamer Threads
Visit our Mailing List Archives