develooper Front page | perl.beginners | Postings from April 2010

perl setuid/suid and "use MODULE"

Thread Next
David Lee
April 28, 2010 02:20
perl setuid/suid and "use MODULE"
Message ID:

Although I'm reasonably comfortable (though certainly not expert) with 
perl scripts running under a setuid C wrapper, and am familiar with 
"Programming Perl (3rd edition)" on the topic, nothing in my searches 
seems to help when the script wishes to do a "use MODULE::NAME", and 
when that module is outside the perl installation.  I suspect that is 
where my problem, which is "Insecure dependency in require while running 
setuid  ...", lies, although I'm open to other suggestions.


An ancient perl4 application here is being rewritten to use local 
CPAN-like modules, object-orientation, etc.  At one point in its running 
it needs root access to open a privileged (<1024) port, but apart from 
that it can (and should and will) run entirely as the user.  Therefore 
it needs a setuid environment.  (Doesn't it?  Other suggestions, 
including "lateral thinking" to contain, separate and isolate that 
reserved-port-opening are welcome.)

The application needs to run on a variety of UN*X systems, including AIX 
5.3, and I think that having the script itself setuid wouldn't work on 
some of those older systems.  (It screams "YOU HAVEN'T DISABLED SET-ID 

I have tried to put as much as reasonably possible of the application 
into local CPAN-like modules, with just the initial C wrapper and small 
perl script outside that framework.  So that is:
    user-called "appname": setuid-C-wrapper in PATH
    setuid-C-wrapper: "execv(...)" of similarly named small script
    that script does various "use MODULE-1"

The problem:

Although written in a CPAN-like way, the application and its modules are 
installed in a "/usr/local/<application>" which is external to the main 
perl installation on the various systems.  When run non-setuid it works 
well (apart from an expected failure opening the reserved port).  Fine.

But when run via the C-wrapper, the small perl script ("els.qx") 
immediately fails:
    Insecure dependency in require while running setuid at \
       /usr/local/ecfs/test/.scripts/els.qx line 49.
    BEGIN failed--compilation aborted at \
       /usr/local/ecfs/test/.scripts/els.qx line 49.

That line 49 is the first of the local "use MODULE::NAME" commands. 
Just above this is:
    use FindBin;
    use lib "$FindBin::Bin/..";
so that those "MODULE::NAME" things can be found.  These modules belong 
to the application so are not in the perl installation's '@INC'.

Question:  How do I proceed?  Is there a known, demonstrated way to 
handle this?  I don't see any in "Programming Perl (3rd edition)", nor 
in web searches.  (While I suspect that relocating the "MODULE::NAME" 
items to be within the each system's perl installation (site/vendor 
etc.) might possibly work, there may be local administrative resistance 
to such a course of action across our ranges of systems, administered by 
other people, that need this application.)

: David Lee
: ECMWF (Data Handling System)
: Shinfield Park
: Reading  RG2 9AX
: Berkshire
: tel:    +44-118-9499 362
: email:

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About