develooper Front page | perl.beginners | Postings from April 2010

perl setuid/suid and "use MODULE"

Thread Next
From:
David Lee
Date:
April 28, 2010 02:20
Subject:
perl setuid/suid and "use MODULE"
Message ID:
4BD7F5A7.3080408@ecmwf.int
Briefly:

Although I'm reasonably comfortable (though certainly not expert) with 
perl scripts running under a setuid C wrapper, and am familiar with 
"Programming Perl (3rd edition)" on the topic, nothing in my searches 
seems to help when the script wishes to do a "use MODULE::NAME", and 
when that module is outside the perl installation.  I suspect that is 
where my problem, which is "Insecure dependency in require while running 
setuid  ...", lies, although I'm open to other suggestions.

Background:

An ancient perl4 application here is being rewritten to use local 
CPAN-like modules, object-orientation, etc.  At one point in its running 
it needs root access to open a privileged (<1024) port, but apart from 
that it can (and should and will) run entirely as the user.  Therefore 
it needs a setuid environment.  (Doesn't it?  Other suggestions, 
including "lateral thinking" to contain, separate and isolate that 
reserved-port-opening are welcome.)

The application needs to run on a variety of UN*X systems, including AIX 
5.3, and I think that having the script itself setuid wouldn't work on 
some of those older systems.  (It screams "YOU HAVEN'T DISABLED SET-ID 
SCRIPTS IN THE KERNEL YET!".)

I have tried to put as much as reasonably possible of the application 
into local CPAN-like modules, with just the initial C wrapper and small 
perl script outside that framework.  So that is:
    user-called "appname": setuid-C-wrapper in PATH
    setuid-C-wrapper: "execv(...)" of similarly named small script
    that script does various "use MODULE-1"

The problem:

Although written in a CPAN-like way, the application and its modules are 
installed in a "/usr/local/<application>" which is external to the main 
perl installation on the various systems.  When run non-setuid it works 
well (apart from an expected failure opening the reserved port).  Fine.

But when run via the C-wrapper, the small perl script ("els.qx") 
immediately fails:
    Insecure dependency in require while running setuid at \
       /usr/local/ecfs/test/.scripts/els.qx line 49.
    BEGIN failed--compilation aborted at \
       /usr/local/ecfs/test/.scripts/els.qx line 49.

That line 49 is the first of the local "use MODULE::NAME" commands. 
Just above this is:
    use FindBin;
    use lib "$FindBin::Bin/..";
so that those "MODULE::NAME" things can be found.  These modules belong 
to the application so are not in the perl installation's '@INC'.

Question:  How do I proceed?  Is there a known, demonstrated way to 
handle this?  I don't see any in "Programming Perl (3rd edition)", nor 
in web searches.  (While I suspect that relocating the "MODULE::NAME" 
items to be within the each system's perl installation (site/vendor 
etc.) might possibly work, there may be local administrative resistance 
to such a course of action across our ranges of systems, administered by 
other people, that need this application.)


-- 
: David Lee
: ECMWF (Data Handling System)
: Shinfield Park
: Reading  RG2 9AX
: Berkshire
:
: tel:    +44-118-9499 362
: email:  david.lee@ecmwf.int

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About