> -----Original Message----- > From: Shah, Sagar: IT (LDN) > Sent: 26 March 2007 17:30 > To: 'Perrin Harkins' > Cc: 'modperl@perl.apache.org' > Subject: RE: "Insecure dependency in eval while running setgid" error > > > > > Alternatively, if you can run your server in > single-process mode and > > > come up with a repeatable series of steps that cause the > error, you > > > can work back from the point where you saw the error > until you find > > > the offending code. > > > > > > Yes, httpd -X is a good idea. I should have thought of that > > before. I'll give that a go and report back to the list. > > Our site only has three mod_perl pages, and I've cycled > through all of them with the webserver, trying to model > behaviour that goes through the different execution paths, in > single process mode but still been unable to repeat the > error. I'll keep on trying but I'm not sure if the issue is a > badly behaved CPAN module. I've been through my > $HOME/.cpan/build directory for modules I've installed in the > last few months, again I couldn't see any setgid references > even though I was now searching through .xs files also. > > > I should point out that sometimes in the past I've seen the > error in our Website::Proxy module. This module is simply a > url mapping module which would take a url like > /research/user/search and map that to the module > Website::User::Search and it would do a eval "use $module;" > (where $module is untained) before calling the constructor > and delegating construction of the page. I saw the same error > at that eval statement also. Again this was sporadic, but > here I would have been simply compiling the code of modules > rather than running them (save for code in BEGIN blocks etc.). > > What I found was if I changed my Website::Proxy module to > load all modules on webserver startup (i.e. in it's own BEGIN > block) rather than on demand then the eval errors there > stopped. This seems to imply that the interpreter is getting > into a confused state after some continued use. > > Does anyone have any other suggestions?
Hi All, I'm replying to my own post twice, so as you can guess I'm getting pretty desperate ;-) I've continued investigating this issue. Interesting facts: - It wasn't possible to repeat the error I got when running under httpd -X (well I tried for a long time and couldn't) - I tried trussing the httpd and it's child processes, no setgid or setegid calls were made. The only gid related calls were getgid (which returned the correct group id) and getpgid (which I was expecting to return the parent process's gid but truss showed it to simply return the parent's pid...) - I changed a mod_perl page to actually print out gid and egid. Both $( and $) are actually a space seperated list of group ids, what I found is that under mod_perl I get: $GID 451 451 $EGID -19253340 451 451 is fliclearusers, the primary group of my account. I have no idea where this negative number comes from. Certainly running perl -e 'print $)' doesn't return it. So I'm again at the stage where I'm thinking is is an issue with the state of the perl/mod_perl interpreter rather than my code or a CPAN module's code. Can anyone shed any light on that negative egid value? (/usr/bin/ps certainly doesn't show such a value) Regards Sagar =ANYTHING+BELOW+THIS+LINE+WAS+ADDED+AFTER+I+HIT+SEND= ------------------------------------------------------------------------ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------
