[rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch

Josh Narins jnarins at seniorbridge.com
Tue Jan 18 08:47:51 EST 2011


>From what I understand of Taint (-T) mode, this has nothing to do with directory permissions, and everything to do with trying to chdir to a variable (representing a directory) that has been marked as being unsafe, i.e. from user input.

See "perldoc perldiag" to find the error message, which then leads you to "perldoc perlsec" for more about taint mode.

That said, I don't know, inside RT, the appropriate way to deal with this.

>



Josh Narins
Director of Application Development
SeniorBridge
845 Third Ave
7th Floor
New York, NY 10022
Tel: (212) 994-6194
Mobile: (917) 488-6248
Fax: (212) 994-4260
jnarins at seniorbridge.com

SeniorBridge
Managing Complex Chronic Care
http://www.seniorbridge.com


SeniorBridge Statement of Confidentiality: The contents of this email message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. Any dissemination, distribution or copying of this email by an unintended or mistaken recipient is strictly prohibited. In said event, kindly reply to the sender and destroy all entries of this message and any attachments from your system. Thank you.-----Original Message-----
> From: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-
> bounces at lists.bestpractical.com] On Behalf Of Kim Pedersen
> Sent: Tuesday, January 18, 2011 8:39 AM
> Cc: rt-users at lists.bestpractical.com
> Subject: Re: [rt-users] webmux.pl - Insecure dependency in chdir while
> running with -T switch
>
>
> LOL - that figures :-)
>
> Yes, the path and permissions is alright - I can switch to the Apache
> user and all the perl modules in "/usr/lib/perl5/5.10.1/File" are 444,
> with the path directories being 755
>
> It's Line 250 in /usr/lib/perl5/5.10.1/File/Path.pm that throws off
> webmux.pl. Could it be some sort of RT/Webmux compatibility issue /bug
> with Mandriva Perl 5.10.1?
>   - Again the live installation is running with the same version of
> Perl, and I've compared the Path.pm & webmux.pl files between systems
> and they are identical
>
> --- /usr/lib/perl5/5.10.1/File/Path.pm ---
>          if ( -d _ ) {
>              $root = VMS::Filespec::pathify($root) if $Is_VMS;
>
> Line 250    if (!chdir($root)) {
>                  # see if we can escalate privileges to get in
>                  # (e.g. funny protection mask such as -w- instead of
> rwx)
>                  $perm &= 07777;
>                  my $nperm = $perm | 0700;
>                  if (!($arg->{safe} or $nperm == $perm or chmod($nperm,
> $root))) {
>                      _error($arg, "cannot make child directory
> read-write-exec", $canon);
>                      next ROOT_DIR;
>                  }
>                  elsif (!chdir($root)) {
>                      _error($arg, "cannot chdir to child", $canon);
>                      next ROOT_DIR;
>                  }
>              }
> ---------------------------------------
>
>
> Kim P
>
> On 2011-01-18 08:25, Schincke, Keith D. (JSC-IT)[DB Consulting Group,
> Inc.] wrote:
> > My typo. It should have been "perl module".
> >
> > Is the path to/usr/lib/perl5/5.10.1/File/Path.pm readable by the
> apache user? Each of the directories should be 755 with the perl module
> being 644.
> >
> > I sometimes get DAG modules installing with a 750 and 640
> respectively. Everything passes as root but fails as a user.
> >
> > Keith
> > ________________________________________
> > From: rt-users-bounces at lists.bestpractical.com [rt-users-
> bounces at lists.bestpractical.com] On Behalf Of Kim Pedersen
> [lists at kimp.org]
> > Sent: Tuesday, January 18, 2011 12:48 AM
> > Cc: rt-users at lists.bestpractical.com
> > Subject: Re: [rt-users] webmux.pl - Insecure dependency in chdir
> while running with -T switch
> >
> > Hi Keith,
> >
> > I am not sure I understand 100% what permissions to the "perl mode"
> means.
> >
> > But the line calling File::Path in /usr/sbin/webmux.pl refers to
> "$RT::MasonDataDir", which points to /var/cache/rt/mason_data/.
> >
> > The content and permissions of that folder is the following:
> >
> > drwxrwx--- 5 apache apache 38 2011-01-18 01:06 ./
> > drwxr-xr-x 4 root   root   42 2011-01-18 01:06 ../
> > drwxrwx--- 2 apache apache  6 2011-01-18 01:06 cache/
> > drwxrwx--- 2 apache apache  6 2011-01-18 01:06 etc/
> > drwxrwx--- 3 apache apache 50 2011-01-18 01:06 obj/
> >
> > The "obj" dir has session related files in it (That are recreated by
> apache if I empty the folders) all created by apache, and apache also
> has the permissions to delete the files
> >
> >
> > It looks like webmux.pl is trying to clean out the
> /var/cache/rt/mason_data/obj folder and failing for some reason, with
> "Insecure dependency in mkdir while running with -T switch at
> /usr/lib/perl5/5.10.1/File/Path.pm line 108, line 2. "
> >
> > if ( $ENV{'MOD_PERL'}&&  !RT->Config->Get('DevelMode')) {
> >      # Under static_source, we need to purge the component cache
> >      # each time we restart, so newer components may be reloaded.
> >      #
> >      # We can't do this in FastCGI or we'll blow away the component
> >      # root _every_ time a new server starts which happens every few
> >      # hits.
> >
> >      require File::Path;
> >      require File::Glob;
> >      my @files = File::Glob::bsd_glob("$RT::MasonDataDir/obj/*");
> >      File::Path::rmtree([ @files ], 0, 1) if @files;
> > }
> >
> > 1;
> >
> >
> > Kim P
> >
> >
> >
> >
> > On 2011-01-18 02:32, Schincke, Keith D. (JSC-IT)[DB Consulting Group,
> Inc.] wrote:
> > What are the directory permissions to the perl mode?
> > One of the directories or the Path.pm file may not allow the web
> process to access the file.
> >
> > Keith
> >
> >
> > Sent from my Verizon Wireless Phone
> >
> > ----- Reply message -----
> > From: "Kim Pedersen"<lists at kimp.org><mailto:lists at kimp.org>
> > Date: Mon, Jan 17, 2011 11:28 pm
> > Subject: [rt-users] webmux.pl - Insecure dependency in chdir while
> running with -T switch
> > To: "rt-users at lists.bestpractical.com"<mailto:rt-
> users at lists.bestpractical.com>  <rt-
> users at lists.bestpractical.com><mailto:rt-users at lists.bestpractical.com>
> >
> >
> > Hi everyone,.
> >
> > I am installing a cloned copy of our live 3.8.8 RT installation (To
> test
> > a restoration/reinstallation and later to play with the 3.9.4
> release).
> >
> > The new server is running Apache 2.2.15 with mod_perl 2.0.4 on
> Mandriva
> > 2010.1 x64, with Postgresql 9.0 - which is the same as the live
> server.
> >
> > And the RT version is installed from RPM (built from a modified
> Mandriva
> > .spec file, updated to work with 3.8.8)
> >
> > After installing RT I can't start Apache any longer and I am stuck
> with
> > the following problem in my apache log:
> >
> > [error] Insecure dependency in chdir while running with -T switch at
> > /usr/lib/perl5/5.10.1/File/Path.pm line 250.\nCompilation failed in
> > require at (eval 2) line 1.\n
> > [error] Can't load Perl file: /usr/sbin/webmux.pl for server
> > www.testserver.com:0<http://www.testserver.com:0>, exiting...
> >
> >
> > If I run webmux.pl manually as root, there are no Perl errors. A
> "make
> > testdeps" from the RT sources show all dependencies being okay as
> well.
> > The RT config files are the same as on the live server -  File::Path
> is
> > called at the end of webmux.pl, but I am just lost for what to look
> for
> > / how to troubleshoot this.
> >
> >
> > Any hints / pointers?
> >
> >
> > Regards
> >
> > Kim P
> >
> >
> >




More information about the rt-users mailing list