Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Apache, no suexec, suid and the environment

by stefan k (Curate)
on Jun 28, 2007 at 13:15 UTC ( #623878=perlquestion: print w/ replies, xml ) Need Help??
stefan k has asked for the wisdom of the Perl Monks concerning the following question:

Fellow Monks,

the situation at hand is a CGI script which needs to be run as a certain user and which has to call several commands only available to that user using shared libraries found in the users LD_LIBRARY_PATH.

Lucky are those who have Apache2 which ships with mod_suexec by default, but not alas! on the system I have to work on.

Next I tried to run that CGI script suid to the user in question (not root), I went through the perlsec manpage, cleaned my path and other environments and untained all the input until finally the script would start and try to call the external command (using system()). Then the dynamic linking failed. I tried to set $ENV{'LD_LIBRARY_PATH'}, I preceded the actual command with the variable like this:

my $cmd = "LD_LIBRARY_PATH=/path/to/libs command arg1 arg2"; system($cmd) and die "..";
but to no avail. Any pointers, hints and tips welcome. Can you help me out?

Update: Fixed the typo in the title.

Regards... stefan k
you begin bashing the string with a +42 regexp of confusion

Comment on Apache, no suexec, suid and the environment
Select or Download Code
Re: Apache, no suexec, suid and the environment
by Fletch (Chancellor) on Jun 28, 2007 at 13:24 UTC

    You can use (localized) changes to %ENV to modify a child process' environment.

    { local $ENV{ LD_LIBRARY_PATH } = q{/path/to/libs}; my $cmd = "..."; system( $cmd ) == 1 or die "Problem with '$cmd': $?\n"; }

    (That being said, I also want to say that I vaguely recall ld.so does some sanitizing of the environment on some platforms if the EUID and RUID don't match, so you might not be able to get this to work without another layer of indirection (i.e. you start a suid wrapper which sets the environment up then calls the thing you really want to call).)

Re: Apache, no suexec, suid and the environment
by toolic (Chancellor) on Jun 28, 2007 at 14:02 UTC
    In *nix, LD_LIBRARY_PATH is commonly a colon-separated list of directories. If you do not wish to clobber existing directories, you may want to either append or prepend a path:
    $ENV{LD_LIBRARY_PATH} .= ":/my/new/path"; # append $ENV{LD_LIBRARY_PATH} = "/my/before/path:" . $ENV{LD_LIBRARY_PATH}; +# prepend

    It is also a good practice to check if LD_LIBRARY_PATH is defined before doing this.

      Hi,
      thanks for pointing that out, but I am well aware of what LD_LIBRARY_PATH is, how it is used and what values it takes in the situation at hand. The problem is that the programs called from perl don't find their libraries in this suid-script and I can't see why not.

      Regards... stefan k
      you begin bashing the string with a +42 regexp of confusion

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://623878]
Approved by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (9)
As of 2014-07-24 21:19 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (167 votes), past polls