Briefly:
Although I'm reasonably comfortable (though certainly not expert) with
perl scripts running under a setuid C wrapper, and am familiar with
"Programming Perl (3rd edition)" on the topic, nothing in my searches
seems to help when the script wishes to do a "use MODULE::NAME", and
when that module is outside the perl installation. I suspect that is
where my problem, which is "Insecure dependency in require while running
setuid ...", lies, although I'm open to other suggestions.
Background:
An ancient perl4 application here is being rewritten to use local
CPAN-like modules, object-orientation, etc. At one point in its running
it needs root access to open a privileged (<1024) port, but apart from
that it can (and should and will) run entirely as the user. Therefore
it needs a setuid environment. (Doesn't it? Other suggestions,
including "lateral thinking" to contain, separate and isolate that
reserved-port-opening are welcome.)
The application needs to run on a variety of UN*X systems, including AIX
5.3, and I think that having the script itself setuid wouldn't work on
some of those older systems. (It screams "YOU HAVEN'T DISABLED SET-ID
SCRIPTS IN THE KERNEL YET!".)
I have tried to put as much as reasonably possible of the application
into local CPAN-like modules, with just the initial C wrapper and small
perl script outside that framework. So that is:
user-called "appname": setuid-C-wrapper in PATH
setuid-C-wrapper: "execv(...)" of similarly named small script
that script does various "use MODULE-1"
The problem:
Although written in a CPAN-like way, the application and its modules are
installed in a "/usr/local/<application>" which is external to the main
perl installation on the various systems. When run non-setuid it works
well (apart from an expected failure opening the reserved port). Fine.
But when run via the C-wrapper, the small perl script ("els.qx")
immediately fails:
Insecure dependency in require while running setuid at \
/usr/local/ecfs/test/.scripts/els.qx line 49.
BEGIN failed--compilation aborted at \
/usr/local/ecfs/test/.scripts/els.qx line 49.
That line 49 is the first of the local "use MODULE::NAME" commands.
Just above this is:
use FindBin;
use lib "$FindBin::Bin/..";
so that those "MODULE::NAME" things can be found. These modules belong
to the application so are not in the perl installation's '@INC'.
Question: How do I proceed? Is there a known, demonstrated way to
handle this? I don't see any in "Programming Perl (3rd edition)", nor
in web searches. (While I suspect that relocating the "MODULE::NAME"
items to be within the each system's perl installation (site/vendor
etc.) might possibly work, there may be local administrative resistance
to such a course of action across our ranges of systems, administered by
other people, that need this application.)
--
: David Lee
: ECMWF (Data Handling System)
: Shinfield Park
: Reading RG2 9AX
: Berkshire
:
: tel: +44-118-9499 362
: email: david....@ecmwf.int
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
