You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Michael Blakeley <mi...@blakeley.com> on 2000/07/02 23:00:09 UTC
bogus taint error?
With perl 5.6.0, Solaris 2.6, apache 1.3.9, and mod_perl 1.24, I'm
seeing intermittent taint errors like
[Sat Jul 1 18:50:13 2000] [error] PerlRun: `Insecure dependency in
require while running with -T switch at /foo.pl line 5.
head -6 foo.pl shows:
#!perl
use Apache::Constants qw/:http/;
use LWP;
use MIME::Lite;
use strict;
Seeing http://forum.swarthmore.edu/epigone/modperl/luthesmex I
thought that moving 'use strict' to the top might help:
#!perl
use strict;
use Apache::Constants qw/:http/;
use LWP;
use MIME::Lite;
It didn't help. But the really odd thing is that the error message
didn't change at all:
[Sun Jul 2 13:16:25 2000] [error] PerlRun: `Insecure dependency in
require while running with -T switch at /foo.pl line 5.
So... perl was objecting to MIME::Lite before, and now it's objecting
to LWP? This smells wrong to me. I've never been able to reproduce
this problem under httpd -X; and it usually comes up only after the
server's been running for a while.
Has anyone seen this before? Any suggestions for debugging?
thanks,
-- Mike
Re: bogus taint error?
Posted by Gunther Birznieks <gu...@extropia.com>.
There is a remote possibility (I would have to test this at work) that your
command-line testing will never show a taint problem.
Because you are typing all the Perl commands in STDIN, and because STDIN,
is by its very definition tainted, you get a security paradox and Perl may
be turning off taintmode entirely to avoid this.
If you really want to test this at the command line. Make the script. And
then run it from the command line as the user the web server runs as (Not you).
Also, is this really a mod_perl problem? Have you tried running the program
using normal CGI/Perl?
Also, scripts that run under Apache::PerlRun tend to be messy. So if you
have many PerlRun scripts on a server, there is some likelihood that a
given foo.pl may be screwy if you have more than one as a required library.
One thing that comes to mind is that many old CGI/Perl scripts tend to use
a "setup.pl" file that is required. This will break in mod_perl because
setup.pl will be loaded into %INC and never loaded again for other scripts
(as that "library" will be considered as cached).
Although I seem to remember Apache::PerlRun treating required libraries
differently (eg resetting %INC after the script runs).
Later,
Gunther
At 03:37 PM 7/2/00 -0700, Michael Blakeley wrote:
>At 2:00 PM -0700 7/2/2000, Michael Blakeley wrote:
>>With perl 5.6.0, Solaris 2.6, apache 1.3.9, and mod_perl 1.24, I'm seeing
>>intermittent taint errors like
>>[Sat Jul 1 18:50:13 2000] [error] PerlRun: `Insecure dependency in
>>require while running with -T switch at /foo.pl line 5.
>>
>>head -6 foo.pl shows:
>>
>>#!perl
>>
>>use Apache::Constants qw/:http/;
>>use LWP;
>>use MIME::Lite;
>>use strict;
>>
>>Seeing http://forum.swarthmore.edu/epigone/modperl/luthesmex I thought
>>that moving 'use strict' to the top might help:
>>
>>#!perl
>>
>>use strict;
>>use Apache::Constants qw/:http/;
>>use LWP;
>>use MIME::Lite;
>>
>>It didn't help.
>
>Scratch the rest of that. The line number did move with MIME::Lite after
>all. But... I'm still hitting the taint errors. The weird thing is that I
>can do
>
>perl -Tw
>use strict;
>use Apache::Constants qw/:http/;
>use LWP;
>use MIME::Lite;
><ctrl-D>
>
>all I like, and never see the taint error. Ideas?
>
>thanks,
>-- Mike
Re: bogus taint error?
Posted by Gunther Birznieks <gu...@extropia.com>.
Did you do a hard shutdown and start of your web server or just a normal
restart. If you did the normal restart, try doing the shutdown and start
operations separately
At 09:31 PM 7/2/00 -0700, Michael Blakeley wrote:
>At 3:37 PM -0700 7/2/2000, Michael Blakeley wrote:
>>At 2:00 PM -0700 7/2/2000, Michael Blakeley wrote:
>>>With perl 5.6.0, Solaris 2.6, apache 1.3.9, and mod_perl 1.24, I'm
>>>seeing intermittent taint errors like
>>>[Sat Jul 1 18:50:13 2000] [error] PerlRun: `Insecure dependency in
>>>require while running with -T switch at /foo.pl line 5.
>
>This is just plain weird. My last resort was to turn taint off:
>
>$ ls -l logs/httpd.pid
>-rw-rw-rw- 1 root other 6 Jul 2 19:23 logs/httpd.pid
>$ grep -i taint conf/httpd.conf
>#PerlTaintCheck On
>$ ls -l conf/httpd.conf
>-rw-r--r-- 1 root other 7437 Jul 2 17:22 conf/httpd.conf
>
>I'm not including any sort of startup.pl file. So taint is off, right?
>
>error log:
>[Sun Jul 2 21:20:20 2000] [error] Insecure dependency in require while
>running with -T switch at (eval 756) line 3.
>
>This system used to be stable, and I can't find anything that's changed.
>Sunspots?
>
>Thanks for any ideas.
>
>-- Mike
__________________________________________________
Gunther Birznieks (gunther.birznieks@extropia.com)
eXtropia - The Web Technology Company
http://www.extropia.com/
Re: bogus taint error?
Posted by Vivek Khera <kh...@kciLink.com>.
>>>>> "MB" == Michael Blakeley <mi...@blakeley.com> writes:
>> box *used* to work fine with taint checks, and then suddenly one day
>> decided to stop working.
MB> What platform and version of perl do you use? Perhaps there's a
MB> correlation.
Perl 5.004_04 on BSD/OS 4.0, and perl 5.005_02 on Solaris 2.6.
Versions of mod_perl vary. The BSD/OS is kept up with CVS, but the
solaris is a production server and kept unchanged. That's the one that
just decided taint checking was going to stop every script dead in its
tracks. Must have been the phase of the moon or something.
Re: bogus taint error?
Posted by Michael Blakeley <mi...@blakeley.com>.
At 11:48 AM -0400 7/3/2000, Vivek Khera wrote:
> >>>>> "MB" == Michael Blakeley <mi...@blakeley.com> writes:
>
>MB> At 3:37 PM -0700 7/2/2000, Michael Blakeley wrote:
>>> At 2:00 PM -0700 7/2/2000, Michael Blakeley wrote:
>>>> With perl 5.6.0, Solaris 2.6, apache 1.3.9, and mod_perl 1.24, I'm
>>>> seeing intermittent taint errors like
>>>> [Sat Jul 1 18:50:13 2000] [error] PerlRun: `Insecure dependency in
>>>> require while running with -T switch at /foo.pl line 5.
>
>MB> This is just plain weird. My last resort was to turn taint off:
>
>I've had to do that on a production server as well. The development
>box still works fine with taint on, curiously enough. The production
>box *used* to work fine with taint checks, and then suddenly one day
>decided to stop working.
What platform and version of perl do you use? Perhaps there's a correlation.
Oddly, this is the first real difficulty I've had since moving to
5.6.0. There are some known bugs in 5.6.0 now, but I don't know if
any of them are relevant to this problem....
thanks,
-- Mike
Re: bogus taint error?
Posted by Vivek Khera <kh...@kciLink.com>.
>>>>> "MB" == Michael Blakeley <mi...@blakeley.com> writes:
MB> At 3:37 PM -0700 7/2/2000, Michael Blakeley wrote:
>> At 2:00 PM -0700 7/2/2000, Michael Blakeley wrote:
>>> With perl 5.6.0, Solaris 2.6, apache 1.3.9, and mod_perl 1.24, I'm
>>> seeing intermittent taint errors like
>>> [Sat Jul 1 18:50:13 2000] [error] PerlRun: `Insecure dependency in
>>> require while running with -T switch at /foo.pl line 5.
MB> This is just plain weird. My last resort was to turn taint off:
I've had to do that on a production server as well. The development
box still works fine with taint on, curiously enough. The production
box *used* to work fine with taint checks, and then suddenly one day
decided to stop working.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Vivek Khera, Ph.D. Khera Communications, Inc.
Internet: khera@kciLink.com Rockville, MD +1-301-545-6996
GPG & MIME spoken here http://www.khera.org/~vivek/
Re: bogus taint error?
Posted by Michael Blakeley <mi...@blakeley.com>.
At 10:49 AM -0500 7/3/2000, Matt Carothers wrote:
>On Sun, 2 Jul 2000, Michael Blakeley wrote:
>
>> This is just plain weird. My last resort was to turn taint off:
>>
>> $ ls -l logs/httpd.pid
>> -rw-rw-rw- 1 root other 6 Jul 2 19:23 logs/httpd.pid
>> $ grep -i taint conf/httpd.conf
> > #PerlTaintCheck On
>> $ ls -l conf/httpd.conf
>> -rw-r--r-- 1 root other 7437 Jul 2 17:22 conf/httpd.conf
>>
>> I'm not including any sort of startup.pl file. So taint is off, right?
>
>Is the script running setuid or setgid? If the script's real and effective
>uids or gids don't match, perl enables taint mode automatically. You might
>add some debugging code to verify that $< == $> and $( == $).
There's no sticky bit on the file, and the uid and gid of the file
are the same as the apache user.
I think I may have an answer for taint's on-when-off behavior: I'd
been syncing /usr/local/lib/perl5 all along, but it seems that some
of the perl binaries may have drifted apart. Since syncing them up,
#PerlTaintCheck On
seems to disable taint, as it should. I'm not sure what drifted out
of sync - I haven't rebuilt perl, apache, or mod_perl in months.
But I still have to turn PerlTaintCheck off in production, even
though the same script, on the same OS, with the same perl binaries
and libraries, and the same mod_perl and apache binaries, works fine
for dev. I'd love to understand why - a race condition triggered by
high concurrency, maybe? So far I haven't been able to trigger it
with ab -c 5 -n 1000 against the dev server.
-- Mike
Re: bogus taint error?
Posted by Matt Carothers <ma...@telepath.com>.
On Sun, 2 Jul 2000, Michael Blakeley wrote:
> This is just plain weird. My last resort was to turn taint off:
>
> $ ls -l logs/httpd.pid
> -rw-rw-rw- 1 root other 6 Jul 2 19:23 logs/httpd.pid
> $ grep -i taint conf/httpd.conf
> #PerlTaintCheck On
> $ ls -l conf/httpd.conf
> -rw-r--r-- 1 root other 7437 Jul 2 17:22 conf/httpd.conf
>
> I'm not including any sort of startup.pl file. So taint is off, right?
Is the script running setuid or setgid? If the script's real and effective
uids or gids don't match, perl enables taint mode automatically. You might
add some debugging code to verify that $< == $> and $( == $).
- Matt
Re: bogus taint error?
Posted by Michael Blakeley <mi...@blakeley.com>.
At 3:37 PM -0700 7/2/2000, Michael Blakeley wrote:
>At 2:00 PM -0700 7/2/2000, Michael Blakeley wrote:
>>With perl 5.6.0, Solaris 2.6, apache 1.3.9, and mod_perl 1.24, I'm
>>seeing intermittent taint errors like
>>[Sat Jul 1 18:50:13 2000] [error] PerlRun: `Insecure dependency in
>>require while running with -T switch at /foo.pl line 5.
This is just plain weird. My last resort was to turn taint off:
$ ls -l logs/httpd.pid
-rw-rw-rw- 1 root other 6 Jul 2 19:23 logs/httpd.pid
$ grep -i taint conf/httpd.conf
#PerlTaintCheck On
$ ls -l conf/httpd.conf
-rw-r--r-- 1 root other 7437 Jul 2 17:22 conf/httpd.conf
I'm not including any sort of startup.pl file. So taint is off, right?
error log:
[Sun Jul 2 21:20:20 2000] [error] Insecure dependency in require
while running with -T switch at (eval 756) line 3.
This system used to be stable, and I can't find anything that's
changed. Sunspots?
Thanks for any ideas.
-- Mike
Re: bogus taint error?
Posted by Michael Blakeley <mi...@blakeley.com>.
At 2:00 PM -0700 7/2/2000, Michael Blakeley wrote:
>With perl 5.6.0, Solaris 2.6, apache 1.3.9, and mod_perl 1.24, I'm
>seeing intermittent taint errors like
>[Sat Jul 1 18:50:13 2000] [error] PerlRun: `Insecure dependency in
>require while running with -T switch at /foo.pl line 5.
>
>head -6 foo.pl shows:
>
>#!perl
>
>use Apache::Constants qw/:http/;
>use LWP;
>use MIME::Lite;
>use strict;
>
>Seeing http://forum.swarthmore.edu/epigone/modperl/luthesmex I
>thought that moving 'use strict' to the top might help:
>
>#!perl
>
>use strict;
>use Apache::Constants qw/:http/;
>use LWP;
>use MIME::Lite;
>
>It didn't help.
Scratch the rest of that. The line number did move with MIME::Lite
after all. But... I'm still hitting the taint errors. The weird thing
is that I can do
perl -Tw
use strict;
use Apache::Constants qw/:http/;
use LWP;
use MIME::Lite;
<ctrl-D>
all I like, and never see the taint error. Ideas?
thanks,
-- Mike