Beefy Boxes and Bandwidth Generously Provided by pair Networks Cowboy Neal with Hat
Don't ask to ask, just ask
 
PerlMonks  

Insecure dependency in chmod while running setuid

by ak4good (Initiate)
on Jun 12, 2009 at 08:17 UTC ( #770859=perlquestion: print w/ replies, xml ) Need Help??
ak4good has asked for the wisdom of the Perl Monks concerning the following question:

Hello,

Total beginner here. I need a cgi script to run as root to recursively change file permissions. I slapped something together from examples, but Apache complains:

Insecure dependency in chmod while running setuid at /var/www/cgi-bin/ +set-perms.pl line 13., referer: https://example.com/cgi-bin/

This is the script:

#!/usr/bin/perl -wT BEGIN { $ENV{PATH} = ""; } use strict; use File::Find; $|++; my $baseDir = "/var/www/test/"; my $modeFile = oct(664); my $modeDir = oct(2775); sub setperms { chmod($modeFile, $_) if(-f $_); <------/line 13/ chmod($modeDir, $_) if(-d $_); chown(-1, 1005, $_); } find(\&setperms, "$baseDir");

Please help... :(

Comment on Insecure dependency in chmod while running setuid
Select or Download Code
Re: Insecure dependency in chmod while running setuid
by Corion (Pope) on Jun 12, 2009 at 08:25 UTC

    I think the results you get from File::Find are tainted. This is good as you don't want to have unexpected filenames and don't want to change them to (even) 664. Also, operating on $_ works, but I prefer operating on $File::Find::name, as having absolute filenames is much better in error messages. I would look at perlsec and do something like the following:

    sub setperms { my $fn = $File::Find::name; my $untained_fn; my $mode; if ($fn =~ m!^(\Q$baseDir\E([/\w.]+)\z!) { $untainted_fn = $1; $mode = 0664; } else { $fn =~ m!^(.*)$!; $untainted_fn = $1; $mode = 0000; warn "File name '$untainted_fn' does not match criteria, setti +ng mode to 0."; }; chmod($untained_fn,$mode) or die "Couldn't change '$untainted_fn' +to $mode: $!"; };

    Also, you should really, really consider whether you want to have any script that runs as root accessible from the outside of your computer. I recommend having that script run from a cron job and having as the CGI program a program that just appends filenames to a list.

      File::Find has untaint, untaint_pattern, and untaint_skip options for this purpose.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
      Yes, I really, really didn't like the idea of running a CGI script as root. What I decided to do in the end was to just give users sudo rights to run the permission fixing shell script. I think that's good enough. No complaints so far. :P
Re: Insecure dependency in chmod while running setuid
by JavaFan (Canon) on Jun 12, 2009 at 09:47 UTC
    Why bother with Perl? Something like:
    #!/usr/bin/sh TOPDIR="/var/www/test" find $TOPDIR -type f -print0 | xargs -0 chmod 664 find $TOPDIR -type d -print0 | xargs -0 chmod 2775 chown -R -1:1005 $TOPDIR
    ought to do the trick.
Re: Insecure dependency in chmod while running setuid
by tweetiepooh (Friar) on Jun 12, 2009 at 11:08 UTC
    On a tangental note. Don't you use privilege separation on your Apache? On my Apache 2.2 although root starts Apache (needed for port 80) it spawns processes under a non root account and that account then is the owner of Perl scripts that are executed.
      Yes, Apache on my machine executes cgi scripts as the Apache user, hence the need for setuid to do stuff that the Apache user doesn't have permissions for.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://770859]
Approved by marto
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (11)
As of 2014-04-21 12:30 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (495 votes), past polls