RE: Insecure setuid?

[Tantalo, Christopher G]

Well, I seemed to have cleaned up my insecure errors, and now get a
LOCATION: connected
ERROR: install_driver(Oracle) failed: Can't load
'/opt/perl5/lib/site_perl/5.8.5/PA-RISC2.0-LP64/auto/DBD/Oracle/Oracle.s
l' for module DBD::Oracle: No such file or directory at
/opt/perl5/lib/5.8.5/PA-RISC2.0-LP64/DynaLoader.pm line 230.
 at (eval 10) line 3
Compilation failed in require at (eval 10) line 3.
Perhaps a required shared library or dll isn't installed where expected
at /var/appl/sls/bin/driver.pl line 142

I am thinking it has to be a permissions issue, but can not for the life
of me, figure it out.  Mainly because this was working 2 months ago,
until the security group here changed some things on our unix box, and
now things don't run from the command line.

Basically, the flow of the program should be:
Prog_launch.pl --> inserts a record into a table  (this part works)
--> updates it to set off a trigger (this part works)
Perl_trg.trg--> resides on database, and uses a java stored
procedure to 
execute a command line to run code on a
different machine
using another perl program as the driver (this
part works)
Driver.pl   --> fails on the connect to database (used to work
before security mucked with machine)

I have checked permissions for Oracle.sl libraries, and made sure the
LD_LIBRARY_PATH and PATh are set correctly, but still no luck.

Is there something obvious I am overlooking?

---
Just Your Friendly Neighborhood
_SPIDEY_
 

> -Original Message-
> From: Tantalo, Christopher G 
> Sent: Tuesday, August 09, 2005 11:25 AM
> To: Wiggins d'Anconia
> Cc: beginners-cgi@perl.org
> Subject: RE: Insecure setuid?
> 
> Ok, the date issue I can solve using the built in date functionality.
> 
> The second issue, I am trying to see if the data is untainted by using
> 
> my $err_file = $ENV{"SLS_LOG_PATH"} . "/drivererror" 
> . $rt_id ..
> ".err";
> if ($err_file =~ /^([EMAIL PROTECTED])$/) {
> $err_file = $1; # $err_file now untainted
> } else {
> die "Bad data in '$err_file'";  # log 
> this somewhere
> }
> 
> But this falls into the else section and the message 
>   Bad data in '/var/appl/sls/log/drivererror1757.err' at 
> /var/appl/sls/bin/driver.pl line 1256 gets printed out.
> 
> According to the documention, this should clear up the issue, 
> but I am unsuccessful so far.
> Chris
> 
> ---
> Just Your Friendly Neighborhood
> _SPIDEY_
>  
> 
> > -----Original Message-
> > From: Wiggins d'Anconia [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, August 09, 2005 11:20 AM
> > To: Tantalo, Christopher G
> > Cc: beginners-cgi@perl.org
> > Subject: Re: Insecure setuid?
> > 
> > Tantalo, Christopher G wrote:
> > > Can anyone shed some light on what this error means?
> > >   Insecure $ENV{PATH} while running setuid at 
> > > /var/appl/sls/bin/driver.pl line 1104.
> > > Line 1104 is
> > > print `date`;
> > > 
> > 
> > You shouldn't shell out to date anyways, especially in the above 
> > manner with no error checking, etc. Perl has builtin functions for 
> > collecting date information.
> > 
> > > If I comment this out, then the following error message appears:
> > >   Insecure dependency in open while running setuid at 
> > > /var/appl/sls/bin/driver.pl line 1249.
> > > Line 1249 is
> > > my $err_file = $ENV{"SLS_LOG_PATH"} . 
> > "/drivererror" . $rt_id ..
> > > ".err";
> > > actually 1249 --->  open(ERR_FILE,">>$err_file") ||die 
> > "cannot open
> > > $err_file for reading:$!";
> > > 
> > > Not sure what insecure warnings mean in terms of setuid.  
> > Any answer
> > > would be much appreciated.
> > > Thanks
> > > Chris
> > 
> > Because you are running setuid the taint mechanism is on. See,
> > 
> > perldoc perlsec
> > 
> > For more info. Whenever you have an error/warning you don't 
> understand 
> > that was thrown by Perl you can find more info in:
> > 
> > perldoc perldiag
> > 
> > HTH,
> > 
> > http://danconia.org
> > 
> > --
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED] 
> > <http://learn.perl.org/> <http://le

RE: Insecure setuid?

[Tantalo, Christopher G]

Ok, the date issue I can solve using the built in date functionality.

The second issue, I am trying to see if the data is untainted by using

my $err_file = $ENV{"SLS_LOG_PATH"} . "/drivererror" . $rt_id ..
".err";
if ($err_file =~ /^([EMAIL PROTECTED])$/) {
$err_file = $1; # $err_file now untainted
} else {
die "Bad data in '$err_file'";  # log this somewhere
}

But this falls into the else section and the message 
Bad data in '/var/appl/sls/log/drivererror1757.err' at
/var/appl/sls/bin/driver.pl line 1256
gets printed out.

According to the documention, this should clear up the issue, but I am
unsuccessful so far.
Chris

---
Just Your Friendly Neighborhood
_SPIDEY_
 

> -Original Message-
> From: Wiggins d'Anconia [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, August 09, 2005 11:20 AM
> To: Tantalo, Christopher G
> Cc: beginners-cgi@perl.org
> Subject: Re: Insecure setuid?
> 
> Tantalo, Christopher G wrote:
> > Can anyone shed some light on what this error means?
> > Insecure $ENV{PATH} while running setuid at 
> > /var/appl/sls/bin/driver.pl line 1104.
> > Line 1104 is
> > print `date`;
> > 
> 
> You shouldn't shell out to date anyways, especially in the 
> above manner with no error checking, etc. Perl has builtin 
> functions for collecting date information.
> 
> > If I comment this out, then the following error message appears:
> > Insecure dependency in open while running setuid at 
> > /var/appl/sls/bin/driver.pl line 1249.
> > Line 1249 is
> > my $err_file = $ENV{"SLS_LOG_PATH"} . 
> "/drivererror" . $rt_id ..
> > ".err";
> > actually 1249 --->  open(ERR_FILE,">>$err_file") ||die 
> "cannot open
> > $err_file for reading:$!";
> > 
> > Not sure what insecure warnings mean in terms of setuid.  
> Any answer 
> > would be much appreciated.
> > Thanks
> > Chris
> 
> Because you are running setuid the taint mechanism is on. See,
> 
> perldoc perlsec
> 
> For more info. Whenever you have an error/warning you don't 
> understand that was thrown by Perl you can find more info in:
> 
> perldoc perldiag
> 
> HTH,
> 
> http://danconia.org
> 
> --
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED] 
> <http://learn.perl.org/> <http://learn.perl.org/first-response>
> 
> 
> 

-
The information contained in this message may be privileged,
confidential, and protected from disclosure. If the reader of this
message is not the intended recipient, or any employee or agent
responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer.

Thank you. Paychex, Inc.


--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>

Re: Insecure setuid?

[Wiggins d'Anconia]

Tantalo, Christopher G wrote:
> Can anyone shed some light on what this error means?
>   Insecure $ENV{PATH} while running setuid at
> /var/appl/sls/bin/driver.pl line 1104.
> Line 1104 is
> print `date`;
> 

You shouldn't shell out to date anyways, especially in the above manner
with no error checking, etc. Perl has builtin functions for collecting
date information.

> If I comment this out, then the following error message appears:
>   Insecure dependency in open while running setuid at
> /var/appl/sls/bin/driver.pl line 1249.
> Line 1249 is
> my $err_file = $ENV{"SLS_LOG_PATH"} . "/drivererror" . $rt_id ..
> ".err";
> actually 1249 --->  open(ERR_FILE,">>$err_file") ||die "cannot open
> $err_file for reading:$!";
> 
> Not sure what insecure warnings mean in terms of setuid.  Any answer
> would be much appreciated.
> Thanks
> Chris

Because you are running setuid the taint mechanism is on. See,

perldoc perlsec

For more info. Whenever you have an error/warning you don't understand
that was thrown by Perl you can find more info in:

perldoc perldiag

HTH,

http://danconia.org

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 

Insecure setuid?

[Tantalo, Christopher G]

Can anyone shed some light on what this error means?
Insecure $ENV{PATH} while running setuid at
/var/appl/sls/bin/driver.pl line 1104.
Line 1104 is
print `date`;

If I comment this out, then the following error message appears:
Insecure dependency in open while running setuid at
/var/appl/sls/bin/driver.pl line 1249.
Line 1249 is
my $err_file = $ENV{"SLS_LOG_PATH"} . "/drivererror" . $rt_id ..
".err";
actually 1249 --->  open(ERR_FILE,">>$err_file") ||die "cannot open
$err_file for reading:$!";

Not sure what insecure warnings mean in terms of setuid.  Any answer
would be much appreciated.
Thanks
Chris
---
Just Your Friendly Neighborhood
_SPIDEY_

-
The information contained in this message may be privileged,
confidential, and protected from disclosure. If the reader of this
message is not the intended recipient, or any employee or agent
responsible for delivering this message to the intended recipient, you
are hereby notified that any dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer.

Thank you. Paychex, Inc.


--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]