Re: setuid question: "insecure dependency"?

Wed, 19 Sep 2001 21:28:56 -0700 

The problem isn't setuid Perl it's that suid forces taintmode on. Read all 
available docs on taintmode.

In particular start with Lincoln Stein's Web security FAQ at the 
www.w3c.org website... and re-read perldoc perlsec as you've stated you've 
done, but this time pay attention to the taintmode stuff.

Lincoln Stein also has a good article on calling setuid stuff like changing 
passwords from a Web App in one of the past Perl Journal issues, but I 
can't recall which one at the moment. It was quite a good article though as 
it went through the pros and cons of several different ways of doing it.

Later,
    Gunther

At 05:14 PM 9/19/2001 -0400, Andria Thomas wrote:
>Hi all --
>
>I'm trying to write a setuid script to change passwords on a machine via
>the web.  I am not trying to change the local passwords (i.e. *not*
>modifying /etc/password), but I do need the script to be run as root so
>it can call another password-changing utility which is doing the actual
>work.
>
>When run from the command line as root, the script works fine. However,
>when run as myself (after setting the script to be setuid root) I get
>the following error generated from the script's system call:
>
>"Insecure dependency in system while running setuid at ./chpass_web.pl
>line 159."
>
>Perl is installed on this system to use suid emulation, so it's calling
>the 'suidperl' binary.  The problem originates from the following line
>of code:
>
>system "/bin/echo $new_password1 | /usr/local/sbin/saslpasswd -p
>$in_username";
>
>The documentation I've seen implies that variables can't be passed
>directly into the shell, as they are above, but I couldn't reword the
>system call in any way that still enabled it to work.
>
>Can anyone help with this?  Or lead me to any pointers on suidperl?
>I've already read the perlsec manpage, and searched through the mailing
>list archives...
>
>Thanks!
>Andria
>
>--
>----------------------------------------------
>Andria Thomas             [EMAIL PROTECTED]
>System Administrator -- Tovaris, Inc.
>(434) 245-5309 x 105
>
>
>--
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]

__________________________________________________
Gunther Birznieks ([EMAIL PROTECTED])
eXtropia - The Open Web Technology Company
http://www.eXtropia.com/


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to