perl configuration problem

[Kemin Zhou <ke...@ferring.com>]

First thank a lot for Geoffrey's reply to my previous question.

Here I have a very complicated problem that I want to share with you and 
seeking some opinion.

I am using RedHat 9.0. Somehow, some of my perl packages could not be made
(the routine perl Makefile.PL generates garbage owing to the character 
problem)
RedHat was using perl 5.8.0. I remade perl 5.8.4 from source, then 
reinstalled mod_perl.

One part that is related to this problem is the setgid(). In the process 
of configuring Perl, the configurator
said I my setgid is not secure. I don't remember whether I answered yes 
or no to simulated setuid.
Because the configurator did not recomand the simulation, I may not have 
done so.

The following is from the Perl Doc
=======================
suidperl
suidperl is an optional component, which is built or installed by default.
 From perlfaq1:

On some systems, setuid and setgid scripts (scripts written
in the C shell, Bourne shell, or Perl, for example, with the
set user or group ID permissions enabled) are insecure due to
a race condition in the kernel. For those systems, Perl versions
5 and 4 attempt to work around this vulnerability with an optional
component, a special program named suidperl, also known as sperl.
This program attempts to emulate the set-user-ID and set-group-ID
features of the kernel.

Because of the buggy history of suidperl, and the difficulty of properly 
secu-
rity auditing as large and complex piece of software as Perl, we cannot 
recom-
mend using suidperl and the feature should be considered deprecated. Instead
use for example ’sudo’: http://www.courtesan.com/sudo/
=================================

The perl works fine on my system.
When I run perl programs through apaches, whenever the program used or 
its module uses Socket.pm
for example database connections using sockets, my web application 
through mod_perl will not work
giving the following error message:

[Tue Jun 22 11:18:05 2004] [error] 2764: ModPerl::Registry: Insecure 
dependency
in connect while running setgid at 
/usr/lib/perl5/5.8.4/i686-linux-thread-multi-ld/IO/Socket.pm line 114.

I solved problem by
commenting out the taint checking line in httpd.conf
#PerlTaintCheck On

Now my scripts can run.

This is not a solution to the problem; it is a go around the problem.

My question is what is the solution to this problem?
Do I remake perl with the simulation setgid() option?

I search the web and did not find solution to this problem; Just saw 
other people have the
same problem.

Kemin




**********************************************************************
Proprietary or confidential information belonging to Ferring Holding SA or to one of its affiliated companies may be contained in the message. If you are not the addressee indicated in this message (or responsible for the delivery of the message to such person), please do not copy or deliver this message to anyone. In such case, please destroy this message and notify the sender by reply e-mail. Please advise the sender immediately if you or your employer do not consent to e-mail for messages of this kind. Opinions, conclusions and other information in this message represent the opinion of the sender and do not necessarily represent or reflect the views and opinions of Ferring.
**********************************************************************


-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: perl configuration problem

[William McKee <wi...@knowmad.com>]

Hi Kemin,

I do not think that your taint problems are related to setgid. My
experience with taint has taught me not to trust the error output. In
this case, you are using ModPerl::Registry which means that your script
could be the one which is supplying tainted data. Are you sure that you
are untainting all input to your script? If you still can't find the
problem, I suggest that you run the server in debugging mode[1].


HTH,
William

[1]
http://perl.apache.org/docs/1.0/guide/debug.html#Interactive_mod_perl_Debugging

-- 
Knowmad Services Inc.
http://www.knowmad.com

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Re: perl configuration problem

[Stas Bekman <st...@stason.org>]

Kemin Zhou wrote:
[...]

> The perl works fine on my system.
> When I run perl programs through apaches, whenever the program used or 
> its module uses Socket.pm
> for example database connections using sockets, my web application 
> through mod_perl will not work
> giving the following error message:
> 
> [Tue Jun 22 11:18:05 2004] [error] 2764: ModPerl::Registry: Insecure 
> dependency
> in connect while running setgid at 
> /usr/lib/perl5/5.8.4/i686-linux-thread-multi-ld/IO/Socket.pm line 114.

It sounds like a problem in IO::Socket, or some code that calls it. 
ModPerl::Registry just catches any die()s and reports them to error_log. May 
be we should reconsider and drop the ModPerl::Registry prefix in the error 
message, so people won't always think that it's a mod_perl problem.

If you can show us a short script that you can reproduce the problem with, we 
may be able to tell you what's wrong.

Before you do that, add:

use Carp;
$SIG{__DIE__} = \&Carp::confess;

somewhere in startup.pl and the next time it will print you the full trace of 
calls leading to the one you've quoted.


-- 
__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

-- 
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html