The mailing list for listmasters using Sympa

[David Verdin <address@concealed>]

Hi Mark,

Mark K a écrit :
> I am getting this error now when trying to access the web interface.
>   
What do you mean by "now" ? What did you change recently in Sympa or perl ?
It's a fatal error due to the tainted mode activated while running setuid.

" Insecure dependency in %s
(F) You tried to do something that the tainting mechanism didn’t like. 
The tainting mechanism is turned on when you’re running
setuid or setgid, or when you specify -T to turn it on explicitly. The 
tainting mechanism labels all data that’s derived
directly or indirectly from the user, who is considered to be unworthy 
of your trust. If any such data is used in a "dangerous"
operation, you get this error. See perlsec for more information.
"
> That line is :
>  ## Read access to prevent "Bad file number" error on Solaris
>     my $fh;
> -->   unless (open $fh, $open_mode.$lock_file) {
>         &do_log('err', 'Cannot open %s: %s', $lock_file, $!);
>         return undef;
>     }
>
> I am running mod_fcgid and have wwsympa-wrapper.fcgi setuid. Any hints?
>   
Give up the setuid mode. :)
Setuid is no longer maintained and then considered insecure.
You should use sudo or the C wrapper. The C wrapper will be the default 
behaviour starting version 5.4.
See: 
https://www.sympa.org/wiki/manual/web-interface#wwsympa.fcgi_access_permissions

Regards,

--
David Verdin
Comité réseau des universités