[Rt-devel] FastCGI, SetGIDness and Taint mode

Bob Goldstein bobg at uic.edu
Wed Jun 16 12:45:42 EDT 2004


>So, lurking somewhere deep in MIME::Parser, there's a tainting error
>that I can't isolate it.  After running for a day or two, my development
>RT instances running setgid fastcgi do seem to hit it.  The only reason
>we're running in taint mode in the first place is because the fastcgi
>handler is setgid so that it can read the RT configuration file.  
>
>In this day and age, there are better solutions for allowing the RT
>handler to be executed as the RT user.  I'm strongly considering 
>making the fastcgi handler a normal perl script and recommending that
>folks use apache SuExec or equivalent.  Anyone have a good reason that
>the current setup works better?
>

   The only point of taint mode is to make it harder, not
   impossible, to shoot your own foot. If you develop RT using
   taint mode to help you find those places that would benefit
   from input validation, and you do the right thing, then there
   is no additional benefit to running taint mode in production.
   (Unless, of course, the local admin modifies the code :-)

   I personally have a dedicated apache instance for RT,
   and I just set the group of the server to 'rt', and that
   avoids exactly this taint problem.  Another option is to
   supply a tiny C wrapper that is, itself, suid root.
   Its whole purpose is to change egid and rgid to 'rt'
   and then exec the fastcgi handler.  I believe, if
   egid==rgid, perl will not turn on taint mode.

   Another option is to run the fastcgi by hand, and not
   have the apache server manage it.

      bobg


More information about the Rt-devel mailing list