Hi All,

I've been following this discussion closely because I had what seems to be the 
same problem Sagar is having.

On Friday 30 March 2007 12:19 pm, Perrin Harkins wrote:
> This might be a silly question, but what makes you think this has to
> do with tainting?  If it was a taint problem, wouldn't it say
> "Insecure dependency in eval while running with -T switch"?  It's
> complaining about eval while running setgid.  (I know you said you
> aren't running setgid, but I think you should be trying to figure out
> why it thinks it's setgid, not why something is tainted.)

I was initially on-board with Sagar about this being a taint-checker problem, 
but Perrin's makes a pretty good point: it *is* rather suggestive that the 
insecure dependency message refers to "while running setgid" at the same time 
that the server reports GID-EGID mismatch due to a nonsensical EGID.  I 
checked and found that my server displays the EGID problem as well, so 
decided to take Perrin's advice and investigate this first.

I ran ps, which showed that the httpd processes all have their GID matching 
their EGID.  Then I checked in perl by reporting the GID and EGID from the 
parent and children and found that the nonsensical EGID appears in the 
children when they are spawned (or at least in the PerlChildInitHandler). 
This seems to localize the problem to mod_perl.

I started greping around in the mod_perl source code (I have 2.0.2) and found 
this in modperl_perl.c:

--------------------------------------------------------------------------------------------
static void modperl_perl_ids_get(modperl_perl_ids_t *ids)
{
    ids->pid  = (I32)getpid();
#ifdef MP_MAINTAIN_PPID
    ids->ppid = (I32)getppid();
#endif
#ifndef WIN32
    ids->uid  = getuid();
    ids->euid = geteuid(); 
    ids->gid  = getgid(); 
    ids->gid  = getegid(); 
--------------------------------------------------------------------------------------------
I changed that last line to

   ids->egid = getegid();

then rebuilt/reinstalled/restarted, and the EGID problem is gone.  

I checked the 2.0.3 source and found this already fixed there.



Sagar, can you try the same thing with your server?  Perhaps the "tainting" 
problem will just disappear once this bug is fixed.

Regards,
Charlie

-- 
Charlie Katz
Harvard-Smithsonian Center for Astrophysics
[EMAIL PROTECTED]

Reply via email to