On 8/28/06, Peter Huber <[EMAIL PROTECTED]> wrote:
I have a problem with the postgrey 1.27 from the snapshot. When I try to start
with
the -d flag (daemonize) I get an error "Insecure $ENV{PATH} while running with
-T
switch at /usr/local/libdata/perl5/site_perl/Net/Server/Daemonize.pm line 66
The postgrey 1.23 does not have this problem. Does anybody know what is wrong ?
A perl script running with 'taint' checks MUST explicitly 'untaint'
$ENV{PATH} and a number of other environment variable before it can
use system(), exec(), qx(), backquotes, or a piped open. This is
described on the perlsec(1) manpage; search for "Cleaning Up Your
Path" on that page.
You can untaint these by completely removing them from the
environment, or by setting them to fixed, clean value, or by more
complicated means of verifying that their values are safe and then
directly untainting them. BUT, this all has to be done *in the
script*, as it's perl that you need to convince.
As a side-note, if you ever wonder what a perl error message means,
the first place to check is the perldiag(1) manpage. If it ain't
there, then it isn't being generated by perl itself and can be taken
up with the script authors or similar. Indeed, looking there we find
the following:
Insecure $ENV{%s} while running %s
(F) You can't use system(), exec(), or a piped open in
a setuid or setgid script if any of $ENV{PATH},
$ENV{IFS}, $ENV{CDPATH}, $ENV{ENV}, $ENV{BASH_ENV} or
$ENV{TERM} are derived from data supplied (or poten-
tially supplied) by the user. The script must set the
path to a known value, using trustworthy data. See
perlsec.
Hmm, comparing that and what I wrote, I now think I could have simply
quoted it and nothing else. <sigh>
Philip Guenther
