You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2007/01/07 00:28:34 UTC
[Bug 5282] New: PERL5LIB is ignored with spamassassin
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5282
Summary: PERL5LIB is ignored with spamassassin
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: Libraries
AssignedTo: dev@spamassassin.apache.org
ReportedBy: jm@jmason.org
sudo mkdir /usr/local/share/perl/5.8.7/tst
sudo mkdir /usr/local/share/perl/5.8.7/tst/Mail
sudo mv /usr/local/share/perl/5.8.7/{,tst/}Mail/DomainKeys.pm
sudo mv /usr/local/share/perl/5.8.7/{,tst/}Mail/DomainKeys
PERL5LIB=/usr/local/share/perl/5.8.7/tst perl -w -e 'use Mail::DomainKeys; print
join(" ",@INC)'
/usr/local/share/perl/5.8.7/tst /etc/perl /usr/local/lib/perl/5.8.7
/usr/local/share/perl/5.8.7 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8
/usr/share/perl/5.8 /usr/local/lib/site_perl /usr/local/lib/perl/5.8.4
/usr/local/share/perl/5.8.4 /usr/local/lib/perl/5.8.3
/usr/local/share/perl/5.8.3 /usr/local/lib/perl/5.8.2 /usr/local/share/perl/5.8.2 .
edit lib/Mail/SpamAssassin/Plugin/DomainKeys.pm, and change BEGIN line to:
BEGIN { warn "JMD ".join(" ",@INC); require Mail::DomainKeys::Message; require
Mail::DomainKeys::Policy; }
PERL5LIB=/usr/local/share/perl/5.8.7/tst ./spamassassin -D -t < sample-spam.txt
> o 2>&1
grep Domain o
[3251] dbg: plugin: loading Mail::SpamAssassin::Plugin::DomainKeys from @INC
[3251] warn: JMD lib /usr/local/share/perl/5.8.7 /etc/perl
/usr/local/lib/perl/5.8.7 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8
/usr/share/perl/5.8 /usr/local/lib/site_perl /usr/local/lib/perl/5.8.4
/usr/local/share/perl/5.8.4 /usr/local/lib/perl/5.8.3
/usr/local/share/perl/5.8.3 /usr/local/lib/perl/5.8.2
/usr/local/share/perl/5.8.2 at lib/Mail/SpamAssassin/Plugin/DomainKeys.pm line 64.
[3251] warn: plugin: failed to parse plugin (from @INC): Can't locate
Mail/DomainKeys/Message.pm in @INC (@INC contains: lib
/usr/local/share/perl/5.8.7 /etc/perl /usr/local/lib/perl/5.8.7 /usr/lib/perl5
/usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl
/usr/local/lib/perl/5.8.4 /usr/local/share/perl/5.8.4 /usr/local/lib/perl/5.8.3
/usr/local/share/perl/5.8.3 /usr/local/lib/perl/5.8.2
/usr/local/share/perl/5.8.2) at lib/Mail/SpamAssassin/Plugin/DomainKeys.pm line 64.
[3251] warn: BEGIN failed--compilation aborted at
lib/Mail/SpamAssassin/Plugin/DomainKeys.pm line 64.
in other words, the use of PERL5LIB works with "perl" but not with
"spamassassin". that's not good...
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5282] PERL5LIB is ignored with spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5282
------- Additional Comments From apache-org@monkeydyne.com 2007-01-07 13:33 -------
So I think I understand why SpamAssassin runs in taint mode: you wouldn't want
joe random user to include new code in their PERL5PATH, then trick spamassassin
or spamd into running that code under whatever user the administrator has
configured it.
At the same time I think that what I'm requesting is not inappropriate. There
*are* necessarily unconventional configurations, and the administrator of the
system ought to be able to use PERL5LIB or a similar mechanism.
What about allowing a PERLLIB-like specification inside init.pre? That file
ought to be only accessible to administrators, and it would allow them to
include the appropriate directories without opening the door to abuse by their
users.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5282] PERL5LIB is ignored with spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5282
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From jm@jmason.org 2007-01-07 04:39 -------
stupid taint mode.
OK, I've documented this in the spamassassin man page, on the single-user
install wiki page, and in PACKAGING.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5282] PERL5LIB is ignored with spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5282
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |apache-org@monkeydyne.com
------- Additional Comments From jm@jmason.org 2007-01-06 15:46 -------
*** Bug 5281 has been marked as a duplicate of this bug. ***
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5282] PERL5LIB is ignored with spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5282
------- Additional Comments From jm@jmason.org 2007-01-08 03:48 -------
'So I think I understand why SpamAssassin runs in taint mode: you wouldn't want
joe random user to include new code in their PERL5PATH, then trick spamassassin
or spamd into running that code under whatever user the administrator has
configured it.'
Actually, taint mode is used for a better reason ;) Since it tracks data
sources, it ensures that we always treat data taken from the (possibly
spam/malware) mail as "tainted" and unsafe, even hundreds of lines of code away
from where it was first read from the network. It's pretty handy for that
reason -- it greatly reduces the risk of remotely-exploitable flaws.
To be honest, this PERL5LIB issue is new to us, too -- we hadn't realised that
taint mode breaks that. (it makes sense for most taint users, but not us,
unfortunately.)
'At the same time I think that what I'm requesting is not inappropriate. There
*are* necessarily unconventional configurations, and the administrator of the
system ought to be able to use PERL5LIB or a similar mechanism.
What about allowing a PERLLIB-like specification inside init.pre? That file
ought to be only accessible to administrators, and it would allow them to
include the appropriate directories without opening the door to abuse by their
users.'
Actually, there's an easy fix -- simply run
perl Makefile.PL PERL_TAINT=no
instead of
perl Makefile.PL
that turns off use of taint mode. Taint mode is just a "bonus" security
feature; without it, you've still got plenty of security anyway...
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5282] PERL5LIB is ignored with spamassassin
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5282
------- Additional Comments From felicity@apache.org 2007-01-06 15:58 -------
Yes, I believe this is actually expected behavior. I had the same "wth" moment
when doing some testing on my laptop a while ago, until I dug around and found
this in "perldoc perlrun" which explains what's up:
PERL5LIB A list of directories in which to look for Perl library
files before looking in the standard library and the cur-
rent directory. Any architecture-specific directories
under the specified locations are automatically included if
they exist. If PERL5LIB is not defined, PERLLIB is used.
Directories are separated (like in PATH) by a colon on
unixish platforms and by a semicolon on Windows (the proper
path separator being given by the command "perl
-V:path_sep").
When running taint checks (either because the program was
running setuid or setgid, or the -T switch was used), nei-
ther variable is used. The program should instead say:
use lib "/my/directory";
So the installed "spamassassin", etc, all use taint mode, so PERL5LIB is ignored.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.