Hi All,
I'm getting some quite perplexing behaviour from my application under
mod_perl and so far I haven't been able to find the cause of the issue.
I'm finding that pages which load perfectly fine under mod_perl most of
the time, sometimes fail with the error "Insecure dependency in eval
while running setgid".
The really strange thing seems to be that we're not actually running our
webserver setgid, well not if my understanding is correct.
Our webserver runs on a non-privileged port, 9100, and so when it is
started up, it's started up by the same userid that it runs as for its
whole lifecycle - the user research which has a group of fliclearusers.
At no point does the webserver switch username or group. All of the
httpd processes that ps reports on are running with this user and group,
and I've even gone as far as explicitly setting group in my httpd.cfg to
be fliclearusers with no change. Dumping the values of $< and $> from a
mod_perl handler gives me the same values also.
I get this error not only from evals in my own code, but also from evals
contained in widely used Perl modules such as Template Toolkit. Here's
an example stack trace from an eval in Template::Document
---STACK-TRACE---
Insecure dependency in eval while running setgid at
/content/research/pkgs/cpan/lib/sun4-solaris/Template/Document.pm line
82.
at /content/research/pkgs/cpan/lib/sun4-solaris/Template/Document.pm
line 82
Template::Document::new('Template::Document', 'HASH(0x200edac)') called
at /content/research/pkgs/cpan/lib/sun4-solaris/Template/Provider.pm
line 904
Template::Provider::_compile('Template::Provider=HASH(0x20fef50)',
'HASH(0x203d6a8)', 'undef') called at
/content/research/pkgs/cpan/lib/sun4-solaris/Template/Provider.pm line
556
Template::Provider::_fetch_path('Template::Provider=HASH(0x20fef50)',
'Search/results.tt') called at
/content/research/pkgs/cpan/lib/sun4-solaris/Template/Provider.pm line
148
Template::Provider::fetch('Template::Provider=HASH(0x20fef50)',
'Search/results.tt', 'undef') called at
/content/research/pkgs/cpan/lib/sun4-solaris/Template/Context.pm line
139
Template::Context::template('Template::Context=HASH(0x1cdf178)',
'Search/results.tt') called at
/content/research/pkgs/cpan/lib/sun4-solaris/Template/Service.pm line 72
eval {...} called at
/content/research/pkgs/cpan/lib/sun4-solaris/Template/Service.pm line 72
Template::Service::process('Template::Service=HASH(0x1bd7e1c)',
'Search/results.tt', 'HASH(0x2114ab4)') called at
/content/research/pkgs/cpan/lib/sun4-solaris/Template.pm line 71
Template::process('Template=HASH(0x1bd7f48)', 'Search/results.tt',
'HASH(0x2114ab4)', 'SCALAR(0x21139a0)') called at
/content/res_int/cgi/research/lib/Website/Page.pm line 120
Website::Page::display('Website::User::Search=HASH(0x1cdf238)') called
at /content/res_int/cgi/research/lib/Website/User/Search.pm line 146
Website::User::Search::display('Website::User::Search=HASH(0x1cdf238)')
called at /content/res_int/cgi/research/lib/Website/Proxy.pm line 113
eval {...} called at /content/res_int/cgi/research/lib/Website/Proxy.pm
line 111
Website::Proxy::handler('Apache2::RequestRec=SCALAR(0x1cdf064)') called
at -e line 0
eval {...} called at -e line 0
---STACK-TRACE---
Line 82 of my version of Template::Document (v2.74 from Template Toolkit
v2.14 - there aren't any relevant changes in the newer Template Toolkit
releases that are relevant to this issue afaiks) is:
$block = eval $block;
And the preceding lines untaint $block completely:
# DON'T LOOK NOW! - blindly untainting can make you go blind!
$block =~ /(.*)/s;
$block = $1;
As I say I've seen this with evals in my own code as well, and I just
don't know what I'm doing to make Perl/mod_perl think it's running in a
setgid context.
My toolchain is:
Perl 5.8.6
mod_perl 2.0.2
httpd 2.2.2
The most interesting thing, as I said earlier, is that the behaviour is
not consistent. If I hit one mod_perl page many many times then
eventually I'll get the Insecure Dependency error when I hit a
completely _separate_ mod_perl page. It reminds me of the error that
stas fixed in mod_perl 1.99_17 around the checking of TAINT_PROPER, but
the error message isn't exactly the same, and as I say above I'm on a
recent mod_perl build.
Does anyone have any ideas? Is there more useful info that I can supply?
Or are you able to give me guidance on other avenues of investigation?
Unfortunately as this code is to be client facing, we can't simply turn
taint mode off.
Best Regards
Sagar R. Shah
(PAUSE ID: SRSHAH)
=ANYTHING+BELOW+THIS+LINE+WAS+ADDED+AFTER+I+HIT+SEND=
------------------------------------------------------------------------
For more information about Barclays Capital, please visit our web site at
http://www.barcap.com.
Internet communications are not secure and therefore the Barclays Group does
not accept legal responsibility for the contents of this message. Although the
Barclays Group operates anti-virus programmes, it does not accept
responsibility for any damage whatsoever that is caused by viruses being
passed. Any views or opinions presented are solely those of the author and do
not necessarily represent those of the Barclays Group. Replies to this email
may be monitored by the Barclays Group for operational or business reasons.
------------------------------------------------------------------------
