Subject: The mailing list for listmasters using Sympa
List archive
Re: [sympa-users] Insecure dependency in open while running setuid
- From: Mark K <address@concealed>
- To: address@concealed
- Subject: Re: [sympa-users] Insecure dependency in open while running setuid
- Date: Wed, 12 Dec 2007 22:19:51 +0000
Well, I switched to using sudo to avoid this.
On Wed, 12 Dec 2007 15:25:17 +0000
Mark K <address@concealed> wrote:
> wwsympa-wrapper.fcgi *is* the C wrapper setuid as recommended going
> forward from v5.4.
> The only thing that changed was adding a list and
> the create_list_template that I had made was flawed so there was an
> error in the web_archive:access setting. I edited the list config
> file manually. Perhaps that caused an issue with the lock?
>
> On Wed, 12 Dec 2007 11:07:12 +0100
> David Verdin <address@concealed> wrote:
>
> > Sorry : the citation was found in the perldiag manpage.
> >
> > David Verdin a écrit :
> > > Hi Mark,
> > >
> > > Mark K a écrit :
> > >> I am getting this error now when trying to access the web
> > >> interface.
> > > What do you mean by "now" ? What did you change recently in Sympa
> > > or perl ?
> > > It's a fatal error due to the tainted mode activated while
> > > running setuid.
> > >
> > > " Insecure dependency in %s
> > > (F) You tried to do something that the tainting mechanism didn’t
> > > like. The tainting mechanism is turned on when you’re running
> > > setuid or setgid, or when you specify -T to turn it on explicitly.
> > > The tainting mechanism labels all data that’s derived
> > > directly or indirectly from the user, who is considered to be
> > > unworthy of your trust. If any such data is used in a "dangerous"
> > > operation, you get this error. See perlsec for more information.
> > > "
> > >> That line is :
> > >> ## Read access to prevent "Bad file number" error on Solaris
> > >> my $fh;
> > >> --> unless (open $fh, $open_mode.$lock_file) {
> > >> &do_log('err', 'Cannot open %s: %s', $lock_file, $!);
> > >> return undef;
> > >> }
> > >>
> > >> I am running mod_fcgid and have wwsympa-wrapper.fcgi setuid. Any
> > >> hints?
> > > Give up the setuid mode. :)
> > > Setuid is no longer maintained and then considered insecure.
> > > You should use sudo or the C wrapper. The C wrapper will be the
> > > default behaviour starting version 5.4.
> > > See:
> > > https://www.sympa.org/wiki/manual/web-interface#wwsympa.fcgi_access_permissions
> > >
> > >
> > >
> > > Regards,
> > >
> >
>
>
--
Mark K
-
[sympa-users] Insecure dependency in open while running setuid at /home/sympa/bin/Lock.pm line 203.,
Mark K, 12/11/2007
-
Re: [sympa-users] Insecure dependency in open while running setuid,
David Verdin, 12/12/2007
-
Re: [sympa-users] Insecure dependency in open while running setuid,
David Verdin, 12/12/2007
-
Re: [sympa-users] Insecure dependency in open while running setuid,
Mark K, 12/12/2007
- Re: [sympa-users] Insecure dependency in open while running setuid, Mark K, 12/12/2007
-
Re: [sympa-users] Insecure dependency in open while running setuid,
Mark K, 12/12/2007
-
Re: [sympa-users] Insecure dependency in open while running setuid,
David Verdin, 12/12/2007
-
Re: [sympa-users] Insecure dependency in open while running setuid,
Olivier Salaün, 12/13/2007
- Re: [sympa-users] Insecure dependency in open while running setuid, Mark K, 12/13/2007
-
Re: [sympa-users] Insecure dependency in open while running setuid,
David Verdin, 12/12/2007
Archive powered by MHonArc 2.6.19+.