Re: Insecure $ENV{PATH} while running with -T at Mail/Mailer/sendmail.pm

Thu, 29 Apr 2004 10:37:35 -0700

[EMAIL PROTECTED] wrote:
Hi,

on the top of my mod_perl 1 script I have:

package Taskit;

        BEGIN {
           delete @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)};
        }

        use Apache;
        use Apache::Constants qw(OK);
        use Apache::Request;
        use Net::LDAP;
        use Mail::Mailer qw(sendmail);
        use GSCM::CCM::Session;
        use Data::Dumper;
        use strict;

And still I get this error in the error_log:

        Apache::StatINC: process 4585 reloading Taskit.pm.
        [Thu Apr 29 15:13:53 2004] [error] Insecure $ENV{PATH} while running with -T 
switch at  /nokia/apps/tww/@sys/perl580p/lib/5.8.0/Mail/Mailer/sendmail.pm line 16.

Is it some kind of mod_perl quirk? I thought delete-ing $ENV{PATH} would help me with that error?

The perlsec manpage suggests to set it, not delete it:

  $ENV{'PATH'} = '/bin:/usr/bin';
  delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
  ...
       For "Insecure $ENV{PATH}" messages, you need to set $ENV{'PATH'} to a
       known value, and each directory in the path must be non-writable by
       others than its owner and group.  You may be surprised to get this mes-
       sage even if the pathname to your executable is fully qualified.  This
       is not generated because you didn't supply a full path to the program;
       instead, it's generated because you never set your PATH environment
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       variable, or you didn't set it to something that was safe.  Because
       Perl can't guarantee that the executable in question isn't itself going
       to turn around and execute some other program that is dependent on your
       PATH, it makes sure you set the PATH.

so when you delete it, it's if it has never been set. Though admittedly this works for me on linux:

% perl -Tle 'delete @ENV{qw(PATH BASH_ENV)}; qx|echo horray!|'

So it probably varies from OS to OS.

But now looking again at your output, it doesn't happen during the normal load, but only after reload, right? Any difference with setting PATH explicitly as the manpage suggests? Any difference if you use Apache::Reload instead of StatINC?


__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com

--
Report problems: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
List etiquette: http://perl.apache.org/maillist/email-etiquette.html

Reply via email to