Hi,
I have the same exact problem reported originally by Tristan back in
May. I have done some tests with Perl on this machine and have found
that Perl _always_ runs in taint mode no matter who is the owner and
regardless if the -T is explicit or not. Here are the sample programs
and results:
Test program:
#!/usr/bin/perl
use CGI;
my $q = CGI->new();
print $q->header();
#my $user = `whoami` ; # this throws unsecure under _any_ circumstance
my $user = $user = $ENV{'USER'};
print "EUID: ", scalar getpwuid($>) ," ($>)\n";
print "UID: ", scalar getpwuid($<) ," ($<)\n";
print "Taint: ${^TAINT}\n";
print "PERL5OPT=", $ENV{PERL5OPT}, "\n";
print "Usr is: $user";
This is the result running in a shell owner/group aimass.aimass:
EUID: root (0)
UID: aimass (1000)
Taint: 1
PERL5OPT=
Why root???
This is the result running from Apache owner/group www-data.www-data:
EUID: www-data (33)
UID: www-data (33)
Taint: 1
PERL5OPT=
Usr is:
As you can see taint is _always_ on, which seems a bit strange to me.
IMHO it should only be on in one of three circumstances: (a) if -T is explicit
in the command line, (b) if running setuid, (c) if PELR5OPT contains -T
This led me to believe that there is something wrong with Perl in my new
machine..... But
If you look at the error with Twiki it seems that is ci that is complaining,
not Perl! Which leads me to believe that for some reason every program on this
machine seems to be running setuid and this is what may be trigering taint in
Perl.
Anyway these are just my $0.02 since I'm not that great of a sysadmin, but a
mere mortal Perl hacker. I can also say I am having trouble with Kwiki on this
machine with similar problems. This also points in the direction that is not
just Twiki or Perl but something else.
In the hope that all this helps solve this problem, here are my versions:
This is perl, v5.8.7 built for i486-linux-gnu-thread-multi
Linux version 2.6.12-1-k7 ([EMAIL PROTECTED]) (gcc
version 4.0.2 20050917 (prerelease) (Debian 4.0.1-8)) #1 Tue Sep 27
13:22:07 JST 2005
Best regards,
Alejandro Imass
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
