> -----Original Message----- > From: Perrin Harkins [mailto:[EMAIL PROTECTED] > Sent: 30 March 2007 15:38 > To: Shah, Sagar: IT (LDN) > Cc: [EMAIL PROTECTED]; modperl@perl.apache.org; Client > Research Development > Subject: Re: "Insecure dependency in eval while running setgid" error > > On 3/30/07, [EMAIL PROTECTED] > <[EMAIL PROTECTED]> wrote: > > What we found is that sometimes the problem would occur with httpd > > processes that had served nothing other than this page and static > > content (gifs, js files etc.) . > > Okay, and did you try repeating that sequence of requests to see if it > triggers your problem?
Yes absolutely. > > In other cases the httpd process had > > served cgi scripts and our other mod_perl page, but I don't > think the > > other mod_perl page or the forked cgi's are relevant given > that there > > are instances where only static content has been served. > Is that a fair > > conclusion to make? > > Not really. You seem to have already decided that the problem has > something to do with mod_perl, but there's really no evidence for that > at this point. I'd like nothing more for the problem to be something that I can fix on my end rather than requires a new release of mod_perl/perl/some other CPAN library. I haven't decided the problem is with mod_perl, it's just that I'm finding it more and more difficult to feel it's with my code. That's just a feeling I'm relaying in my emails. I'm certainly no where near having the evidence to aportion blame. The reason that it feels to me that mod_perl might be involved is simply because there are other documenteded behavious to do with quite valid things persisting between calls even when the developer doesn't expect so. > It's a complete mystery. It could be due to a problem > with your apache compile, or an auth module you use on certain static > pages, or a bug in a system library that apache is compiled against, > etc. Interesting, I'd considered perl, mod_perl, my own code and CPAN modules to date, but not apache or any of its auth handlers... But that's precicesly why I want to create the most simple test case I can as this will then lend itself for testing on other people's builds/installations. It's only then that I'll be able to rule out my own compilation. The possibilities are getting more low level than I initially expected. > It's definitely worth trying to repeat the sequence of hits that > led to the problem on a single process apache, even if the hits were > all static files. We did try, but each time we got nothing. I think the smallest pattern we had was a child process that served one static file, and then this mod_perl page twice. That pattern certainly didn't repeat. I'll take your advice and ask my team to pick another sequence and repeat it several times to see if they can trigger it in a consistent manner. Having a consistnet pattern would be great, I'm just pessimistic based on the efforts so far... Thanks for keeping that fighting spirit in me going :) > > - Perrin > ------------------------------------------------------------------------ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------
