Hi All,
I've been following this discussion closely because I had what seems to be the
same problem Sagar is having.
On Friday 30 March 2007 12:19 pm, Perrin Harkins wrote:
> This might be a silly question, but what makes you think this has to
> do with tainting? If it was a taint problem, wouldn't it say
> "Insecure dependency in eval while running with -T switch"? It's
> complaining about eval while running setgid. (I know you said you
> aren't running setgid, but I think you should be trying to figure out
> why it thinks it's setgid, not why something is tainted.)
I was initially on-board with Sagar about this being a taint-checker problem,
but Perrin's makes a pretty good point: it *is* rather suggestive that the
insecure dependency message refers to "while running setgid" at the same time
that the server reports GID-EGID mismatch due to a nonsensical EGID. I
checked and found that my server displays the EGID problem as well, so
decided to take Perrin's advice and investigate this first.
I ran ps, which showed that the httpd processes all have their GID matching
their EGID. Then I checked in perl by reporting the GID and EGID from the
parent and children and found that the nonsensical EGID appears in the
children when they are spawned (or at least in the PerlChildInitHandler).
This seems to localize the problem to mod_perl.
I started greping around in the mod_perl source code (I have 2.0.2) and found
this in modperl_perl.c:
--------------------------------------------------------------------------------------------
static void modperl_perl_ids_get(modperl_perl_ids_t *ids)
{
ids->pid = (I32)getpid();
#ifdef MP_MAINTAIN_PPID
ids->ppid = (I32)getppid();
#endif
#ifndef WIN32
ids->uid = getuid();
ids->euid = geteuid();
ids->gid = getgid();
ids->gid = getegid();
--------------------------------------------------------------------------------------------
I changed that last line to
ids->egid = getegid();
then rebuilt/reinstalled/restarted, and the EGID problem is gone.
I checked the 2.0.3 source and found this already fixed there.
Sagar, can you try the same thing with your server? Perhaps the "tainting"
problem will just disappear once this bug is fixed.
Regards,
Charlie
--
Charlie Katz
Harvard-Smithsonian Center for Astrophysics
[EMAIL PROTECTED]
