Thank you Bill,
That has given me a clue. I ran the commands below:
thelma@thelma:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11:/usr/games:/usr/local/games:/snap/bin
thelma@thelma:~$ ls -ld /usr/local/sbin
drwxr-xr-x 2 root root 48 Mar 11 2007 /usr/local/sbin
thelma@thelma:~$ ls -ld /usr/local/bin
drwxr-xr-x 2 root root 48 Mar 11 2007 /usr/local/bin
thelma@thelma:~$ ls -ld /usr/sbin
drwxr-xr-x 2 root root 11752 Apr 18 13:06 /usr/sbin
thelma@thelma:~$ ls -ld /usr/bin
drwxr-xr-x 4 root root 72872 Apr 18 16:44 /usr/bin
thelma@thelma:~$ ls -ld /usr/sbin
drwxr-xr-x 2 root root 11752 Apr 18 13:06 /usr/sbin
thelma@thelma:~$ ls -ld /bin
drwxrwxrwx 3 root root 4352 Apr 15 19:06 /bin
ls -ld /usr/bin/X11
lrwxrwxrwx 1 root root 1 Mar 11 2007 /usr/bin/X11 -> .
ls -ld /usr/games
drwxr-xr-x 2 root root 784 Apr 15 18:17 /usr/games
ls -ld /usr/local/games
drwxr-xr-x 2 root root 48 Mar 11 2007 /usr/local/games
ls -ld /snap/bin
ls: cannot access '/snap/bin': No such file or directory
Note that /snap/bin doesn't exist and /usr/bin/X11 links to "."
I added /snap/bin as an empty directory but it still fails
thelma@thelma:/usr/bin$ ls -ld /snap/bin
drwxr-xr-x 2 root root 48 Apr 20 15:55 /snap/bin
I was little concerned about what to do with /usr/bin/X11
I deleted the /usr/bin/X11 link and created a new directory /usr/bin/X11
but it still failed.
I deleted the directory and remade the link.
I'd also prefer not to modify sa-compile since the next time there is a
update it will likely be overwritten.
Hopefully someone can shed a clue
Bill Cole wrote:
Inside a perl script, the execution environment is available in the
%ENV hash, with variable names as keys, so the execution search path
"PATH" is "$ENV{'PATH'}". The %ENV hash is considered "tainted" as
untrustworthy input by perl, so if the interpreter is run with the
"-T" option, any subprocess launched by perl won't get any environment
variables unless the script has done something to "untaint" members of
that hash. The sa-compile script DOES use a SA utility function to
untaint the whole %ENV hash, but there's a special catch for
$ENV{'PATH'}: if any directories included are not absolute (e.g.
commonly '.' and '~/bin') OR are writable by more than their owning
user & group, $ENV{'PATH'} remains tainted and won't be used or passed
to child processes. Often a bad member directory is unobvious because
it is a symlink name and symlinks are usually technically mode 777
because the system doesn't use the mode of a symlink itself.
What I expect is happening is that there's a problematic directory in
the $PATH that perl gets when executed, so the blind untainting of
$ENV{'PATH'} that sa-compile does won't work. The best fix is to find
the insecure member of $PATH and remove it before trying to run
sa-compile.