[rt-users] Insecure dependency with FastCGI

Eric Fesh fesh at MPI-SoftTech.Com
Tue Dec 16 14:41:22 EST 2003


Bingo!

Thanks much...

-- 
Eric Fesh
Customer Support Engineer/Software Test Engineer
MPI Software Technology Inc.
http://www.mpi-softtech.com


The information contained in this communication may be confidential and is
intended only for the use of the recipient(s) named above.  If the reader of
this communication is not the intended recipient(s), you are hereby notified
that any dissemination, distribution, or copying of this communication, or
any of its contents, is strictly prohibited.  If you are not a named
recipient or received this communication by mistake, please notify the sender
and delete the communication and all copies of it.

On Tue, 16 Dec 2003, Bob Goldstein wrote:

>
>
>  No, what happens is that apache is running as one gid,
>  but the fastcgi script is setgid to another.  This forces
>  perl to turn on taint checking, and the fastsci script
>  is not taint-safe.  This would happen with any
>  version of perl.
>
>  The simplest solution, if it doesn't break anything else,
>  is to change the gid of apache or fastcgi to match.
>
>  Another solution is to start the fastcgi server by hand,
>  rather than have apache start it.  Apache still talks
>  to it over a socket in any case.  But if you start the
>  fastcgi by hand, using the uid/gid of the script itself,
>  then perl doesn't force taint checking.
>
>     bobg
>
>
>
> >Hanno et. al:
> >
> >I'm having the same problem on a Solaris 9 box... It would seem to me that
> >it's a symptom of rolling our own Perl 5.8.2.
> >
> >--
> >Eric Fesh
> >Customer Support Engineer/Software Test Engineer
> >MPI Software Technology Inc.
> >http://www.mpi-softtech.com
> >
> >
> >The information contained in this communication may be confidential and is
> >intended only for the use of the recipient(s) named above.  If the reader of
> >this communication is not the intended recipient(s), you are hereby notified
> >that any dissemination, distribution, or copying of this communication, or
> >any of its contents, is strictly prohibited.  If you are not a named
> >recipient or received this communication by mistake, please notify the sender
> >and delete the communication and all copies of it.
> >
> >On Fri, 14 Nov 2003, Hanno Mueller wrote:
> >
> >> Hi,
> >>
> >>
> >> I'm trying to install RT on a Debian Stable box. Since Debian doesn't
> >> come with Perl 5.8 yet, I compiled my own 5.8.2. It runs Apache 1.3.26
> >> with FastCGI.
> >>
> >>
> >> I followed all the installation instructions for RT.
> >>
> >>
> >> In RT 3.0.6, I get
> >>
> >> For the Homepage:
> >>
> >> > Error during compilation of /opt/rt/share/html/index.html:
> >> > Insecure dependency in require while running setgid at
> >> > /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Interp.pm line 568
> >> > context:   	...
> >> > code stack:
> >> > /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Interp.pm:580
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Interp.pm:317
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Request.pm:198
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Request.pm:166
> >> > g /opt/perl/lib/site_perl/5.8.2/Class/Container.pm:265
> >> > g /opt/perl/lib/site_perl/5.8.2/Class/Container.pm:343
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Interp.pm:213
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Interp.pm:207
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/CGIHandler.pm:89
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/CGIHandler.pm:72
> >> > g /opt/rt/bin/mason_handler.fcgi:53
> >> > g
> >>
> >>
> >> For the /Admin/ page:
> >>
> >> > error:   	Insecure dependency in mkdir while running setgid at
> >> > /opt/perl/lib/5.8.2/File/Path.pm line 159.
> >> > context:
> >> > ...
> >> > 155:  	unless (-d $parent or $path eq $parent) {
> >> > 156:  	push(@created,mkpath($parent, $verbose, $mode));
> >> > 157:  	}
> >> > 158:  	print "mkdir $path\n" if $verbose;
> >> > 159:  	unless (mkdir($path,$mode)) {
> >> > 160:  	my $e = $!;
> >> > 161:  	# allow for another process to have created it meanwhile
> >> > 162:  	croak "mkdir $path: $e" unless -d $path;
> >> > 163:  	}
> >> > ...
> >> > code stack:  	/opt/perl/lib/5.8.2/File/Path.pm:159
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Compiler/ToObject.pm:102
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Interp.pm:309
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Request.pm:198
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Request.pm:166
> >> > g /opt/perl/lib/site_perl/5.8.2/Class/Container.pm:265
> >> > g /opt/perl/lib/site_perl/5.8.2/Class/Container.pm:343
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Interp.pm:213
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Interp.pm:207
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/CGIHandler.pm:89
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/CGIHandler.pm:72
> >> > g /opt/rt/bin/mason_handler.fcgi:53
> >> > g
> >>
> >>
> >>
> >> In RT 3.0.5, I get for the Homepage:
> >>
> >> > Insecure dependency in mkdir while running setgid at
> >> > /opt/perl/lib/5.8.2/File/Path.pm line 159
> >> > context: mkdir
> >> > code stack:   	 /opt/perl/lib/5.8.2/File/Path.pm:159
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Compiler/ToObject.pm:102
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Interp.pm:309
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Request.pm:198
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Request.pm:166
> >> > g /opt/perl/lib/site_perl/5.8.2/Class/Container.pm:265
> >> > g /opt/perl/lib/site_perl/5.8.2/Class/Container.pm:343
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Interp.pm:213
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/Interp.pm:207
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/CGIHandler.pm:89
> >> > g /opt/perl/lib/site_perl/5.8.2/HTML/Mason/CGIHandler.pm:72
> >> > g /opt/rt/bin/mason_handler.fcgi:53
> >> > g
> >>
> >>
> >>
> >>
> >> I'm a bit stuck and the mailing list doesn't mention this problem for
> >> recent versions. Yet, I cannot use RT with mod_perl on this particular
> >> server.
> >>
> >> Any suggestions?
> >>
> >>
> >> Greetings,
> >>
> >> Hanno
> >>
> >>
> >>
> >> _______________________________________________
> >> rt-users mailing list
> >> rt-users at lists.fsck.com
> >> http://lists.fsck.com/mailman/listinfo/rt-users
> >>
> >> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
> >>
> >
> >_______________________________________________
> >rt-users mailing list
> >rt-users at lists.fsck.com
> >http://lists.fsck.com/mailman/listinfo/rt-users
> >
> >Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
> >
> _______________________________________________
> rt-users mailing list
> rt-users at lists.fsck.com
> http://lists.fsck.com/mailman/listinfo/rt-users
>
> Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm
>




More information about the rt-users mailing list