Control: tags -1 confirmed Control: retitle -1 doesnt run properly if perl -T is used. thanks
On Fri, Aug 31, 2007 at 07:57:39PM +0200, Joerg Hoh wrote: > This problem is obviously related to the special taint mode which is > enforced by the perl interpreter when invoking adduser via super. If you > use sudo as wrapper to gain superuser access, the problem doesn't occur. > > I'll try to figure out the differences and create a patch. I can confirm the issue happening if super is used to elevate privileges from a normal user to root: root@salida-unstable-buildd-amd64-bml6:/srv# grep foo /etc/super.tab adduser /usr/sbin/adduser foo env=PATH root@salida-unstable-buildd-amd64-bml6:/srv# su - foo foo@salida-unstable-buildd-amd64-bml6:~$ super adduser baz Adding user `baz' ... Adding new group `baz' (1002) ... Insecure dependency in system while running setuid at /usr/share/perl5/Debian/AdduserCommon.pm line 174. foo@salida-unstable-buildd-amd64-bml6:~$ logout root@salida-unstable-buildd-amd64-bml6:/srv# Obviously, perl runs in taint mode (see perldoc perlsec) when invoked via super. This means that we need to do input sanitizing so that perl is happy if running in taint mode. Same thing happens if we change the perl shebang line to perl -T, that might make it easier to test adduser. We need to work on that, but only after we have finished the work on adduser being a better helper for maintainer scripts. Hence, I'm leaving the severity at normal. Greetings Marc
