[rt-users] Insecure dependency running setgid in Guts.pm
Parish, Brent
bparish at workscape.com
Wed Apr 21 00:57:48 EDT 2004
Sorry, Jesse, don't mean to be thick, but I can't find much on this.
I have enabled suexec and the logs show it starting successfully with Apache, along with fastcgi and all that. However, I wasn't convinced I was doing the right thing, since the files were still set as setgid.
I was guessing that I needed to strip the setgid permission from the mason_handler.fcgi file, but doing so caused a fastcgi error on Apache startup:
[Wed Apr 21 00:16:03 2004] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[Wed Apr 21 00:16:18 2004] [notice] FastCGI: process manager initialized (pid 9974)
[Wed Apr 21 00:16:18 2004] [warn] FastCGI: server "/opt/rt3/bin/mason_handler.fcgi" started (pid 9975)
[Wed Apr 21 00:16:19 2004] [notice] Apache configured -- resuming normal operations
"/opt/rt3/bin/mason_handler.fcgi" started (pid 9983)
Can't locate /opt/rt3/etc/RT_SiteConfig.pm in @INC (@INC contains: /opt/rt3/local/lib /opt/rt3/lib /usr/local/lib/perl5/5.8.3/sun4-solaris-thread-multi /usr/local/lib/perl5/5.8.3 /usr/local/lib/perl5/site_perl/5.8.3/sun4-solaris-thread-multi /usr/local/lib/perl5/site_perl/5.8.3 /usr/local/lib/perl5/site_perl .) at /opt/rt3/lib/RT.pm line 105.
Compilation failed in require at /opt/rt3/bin/mason_handler.fcgi line 28.
[Wed Apr 21 00:16:28 2004] [warn] FastCGI: server "/opt/rt3/bin/mason_handler.fcgi" (pid 9975) terminated by calling exit with status '13'
Thanks a million!
- Brent
-----Original Message-----
From: Jesse Vincent [mailto:jesse at bestpractical.com]
Sent: Tuesday, April 20, 2004 3:01 PM
To: Parish, Brent
Cc: rt-users at lists.bestpractical.com
Subject: Re: [rt-users] Insecure dependency running setgid in Guts.pm
Ok. Another workaround is to use apache's suexec functionality, rather
than setgid perl. The author of Locale::Maketext hasn't been able to
track this issue yet.
On Tue, Apr 20, 2004 at 02:55:35PM -0400, Parish, Brent wrote:
> Hi.
>
> I saw this error on the list Thu 4/15/2004, reported on RH9. I am seeing this on Solaris 9, Perl 5.8.3, RT 3.0.10.
> I have seen this in several places, but this particular one (below) was while modifying a ticket and dropping a requestor from it.
> I upgraded Locale::Maketext to 1.09, but got the error again. I have a number of users (about 20) hitting the RT servers (there are 3, load balanced with persistent sessions behind a VIP) fairly regularly through the day. I see this error probably about three times an hour or more. Anyone have any ideas? Also, I only saw this error after upgrading to 3.0.10 (from 3.0.9 for performance).
>
> Thanks!
> Brent
>
> =========== ERROR =================
>
> error: Insecure dependency in eval while running setgid at /usr/local/lib/perl5/5.8.3/Locale/Maketext/Guts.pm line 247.
>
> context: ...
> 243: unshift @code, "use strict; sub {\n";
> 244: push @code, "}\n";
> 245:
> 246: print @code if DEBUG;
> 247: my $sub = eval(join '', @code);
> 248: die "$@ while evalling" . join('', @code) if $@; # Should be impossible.
> 249: return $sub;
> 250: }
> 251:
> ...
>
> code stack: /usr/local/lib/perl5/5.8.3/Locale/Maketext/Guts.pm:247
> /usr/local/lib/perl5/5.8.3/Locale/Maketext.pm:195
> /opt/rt3/lib/RT/CurrentUser.pm:360
> /opt/rt3/lib/RT/Base.pm:97
> /opt/rt3/lib/RT/Ticket_Overlay.pm:1601
> /opt/rt3/lib/RT/Interface/Web.pm:1265
> /opt/rt3/share/html/Ticket/ModifyPeople.html:49
> /opt/rt3/share/html/autohandler:195
>
> =========== END ERROR =================
>
>
--
***********************************************************************
This message is intended only for the use of the intended recipient and
may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you
are not the intended recipient, you are hereby notified that any use,
dissemination, disclosure or copying of this communication is strictly
prohibited. If you have received this communication in error, please
destroy all copies of this message and its attachments and notify us
immediately.
***********************************************************************
More information about the rt-users
mailing list