Hi Fred, Thanks for your response
> -----Original Message----- > From: Fred Moyer [mailto:[EMAIL PROTECTED] > Sent: 27 March 2007 17:30 > To: Shah, Sagar: IT (LDN) > Cc: modperl@perl.apache.org > Subject: Re: "Insecure dependency in eval while running setgid" error > > [EMAIL PROTECTED] wrote: > > - I changed a mod_perl page to actually print out gid and > egid. Both $( > > and $) are actually a space seperated list of group ids, > what I found is > > that under mod_perl I get: > > > > $GID 451 451 > > $EGID -19253340 451 > > > > 451 is fliclearusers, the primary group of my account. I > have no idea > > where this negative number comes from. Certainly running > perl -e 'print > > $)' doesn't return it. > > > > So I'm again at the stage where I'm thinking is is an issue with the > > state of the perl/mod_perl interpreter rather than my code or a CPAN > > module's code. > > > > Can anyone shed any light on that negative egid value? > (/usr/bin/ps > > certainly doesn't show such a value) > > My guess as to why $EGID is negative is that it's exceeding 2**32/2 - > it's signed int according to the source (mp1). The only reason I'm > guessing here is that I had to fix a sprintf bug not too long > ago where > our interpolated object ids were returning negative numbers > because we > exceeded 2 billion transactions in our system. > > src/modules/perl/perl_util.c > > 668 void mod_perl_init_ids(void) /* $$, $>, $), etc */ > 669 { > 670 if(set_ids++) return; > 671 sv_setiv(GvSV(gv_fetchpv("$", TRUE, SVt_PV)), (I32)getpid()); > 672 #ifndef WIN32 > 673 uid = (int)getuid(); > 674 euid = (int)geteuid(); > 675 gid = (int)getgid(); > 676 egid = (int)getegid(); > 677 MP_TRACE_g(fprintf(stderr, > 678 "perl_init_ids: uid=%d, euid=%d, gid=%d, egid=%d\n", > 679 uid, euid, gid, egid)); > 680 #endif > 681 } Thanks that helps, but I'm still not clear how my gid changes. When trussing my webserver (and all the forked children) I couldn't find any setegid or getegid calls at all... (although I needed to do a graceful restart to get the truss process to pickup the children, so I guess the parent could have done something prior to this - worth me checking out....) > > What I found was if I changed my Website::Proxy module to load all > > modules on webserver startup (i.e. in it's own BEGIN block) rather > > than on demand then the eval errors there stopped. This > seems to imply > > that the interpreter is getting into a confused state after some > > continued use. > > Or maybe this is a bug in getegid where it's not clearing a previous > memory state. What platform is this on? Solaris 8 > Question - are you preloading these modules in startup.pl or > something > similar? It sounds like you aren't from the snippet above. I think what I'm doing is the equivalent. I do a PerlModule Website::Proxy in my httpd.conf which causes the module to be loaded, and thus via its BEGIN block the loading of all other modules. I'm reasonably certain it's working correctly because when putting in some debugging I've seen that the BEGIN block is not executed once per child process. ------------------------------------------------------------------------ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------
