develooper Front page | perl.perl5.porters | Postings from June 2004

[perl #30461] insecure dependency problem w/ kill when included in conditional w/ tainted variables

From:
David R . Schulte
Date:
June 25, 2004 08:28
Subject:
[perl #30461] insecure dependency problem w/ kill when included in conditional w/ tainted variables
Message ID:
rt-3.0.9-30461-91366.11.3892106357267@perl.org
# New Ticket Created by  David R. Schulte 
# Please include the string:  [perl #30461]
# in the subject line of all future correspondence about this issue. 
# <URL: http://rt.perl.org:80/rt3/Ticket/Display.html?id=30461 >



This is a bug report for perl from bplatz@acm.org,
generated with the help of perlbug 1.34 running under perl v5.8.0.


-----------------------------------------------------------------
[Please enter your report here]

Perl 5.8.x reports an insecure dependency error when kill is included
in a conditional with conditions based on tainted varialbes, even though
no tainted variables are involved with kill itself.
Please read the contents of the following example Perl script for details.

#!/opt/perl58/bin/perl -w
#
# Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration:
#  Platform:
#
# SunOS meappdev 5.8 Generic_117000-03 sun4u sparc SUNW,Ultra-Enterprise-10000
#
my $pidIsValid = undef;
my $lockingHost = "meappdev";
my $requestingHost = undef;
my $lockingPid = undef;

$ENV{PATH} = "/bin:/usr/bin";

delete @ENV{"CDPATH", "ENV", "BASH_ENV"};

$lockingHost = `uname -n`;
$requestingHost = `uname -n`;

#$lockingHost = "meappdev";
#$requestingHost = "meappdev";

#
# Leaving both assignments above commented out produces the following error
# when this script is run with uid != euid. Uncommenting either one
# of the assignhments above causes the error to go away.
#
# Insecure dependency in kill while running setuid ...
#
# Example 1:
#
$pidIsValid = ($requestingHost eq $lockingHost) ? kill(0, 1) : 1;

#
# Example 2:
#
if (($requestingHost eq $lockingHost) && kill(0, 1) == 0)
    {
    $pidIsValid = 1;
    }

#
# Perl seems to think that the tainted varialbes are a part of the
# kill invocation when included as part of a conditional. Something else
# that is odd is that the error appears only if BOTH $requestingHost
# and $lockingHost are tainted.
#



[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=medium
---
Site configuration information for perl v5.8.0:

Configured by lstreet at Tue Mar  4 13:54:18 EST 2003.

Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration:
  Platform:
    osname=solaris, osvers=2.8, archname=sun4-solaris
    uname='sunos meappdevnew.agere.com 5.8 generic_108528-18 sun4u sparc sunw,ultra-enterprise-10000 '
    config_args='-Dcc=gcc -B/usr/ccs/bin/'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc -B/usr/ccs/bin/', ccflags ='-fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O',
    cppflags='-fno-strict-aliasing'
    ccversion='', gccversion='3.2', gccosandvers='solaris2.8'
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=4321
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='gcc -B/usr/ccs/bin/', ldflags =' -L/usr/local/lib '
    libpth=/usr/local/lib /usr/lib /usr/ccs/lib
    libs=-lsocket -lnsl -ldl -lm -lc
    perllibs=-lsocket -lnsl -ldl -lm -lc
    libc=/lib/libc.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' '
    cccdlflags='-fPIC', lddlflags='-G -L/usr/local/lib'

Locally applied patches:
    

---
@INC for perl v5.8.0:
    /opt/perl58/lib/5.8.0/sun4-solaris
    /opt/perl58/lib/5.8.0
    /opt/perl58/lib/site_perl/5.8.0/sun4-solaris
    /opt/perl58/lib/site_perl/5.8.0
    /opt/perl58/lib/site_perl
    .

---
Environment for perl v5.8.0:
    HOME=/home/aldrsh
    LANG=C
    LANGUAGE (unset)
    LD_LIBRARY_PATH=/opt/SUNWspro6/SUNWspro/WS6/lib:/opt/SUNWspro6/SUNWspro/lib:/usr/openwin/lib:/usr/lib:/oracle/product/8.1.7/lib:/usr/dt/lib:/jdbc/lib:/opt/EMCpower/lib:/opt/VRTSvcs/EMC/lib:/usr/dt/lib:/usr/dt/lib
    LOGDIR (unset)
    PATH=/home/unife/unife5.1.0/sampleInstall/bin:/usr/openwin/bin:/usr/dt/bin:/usr/openwin/lib/X11:/usr/openwin/bin:/oracle/product/8.1.7/bin:/usr/ccs/bin:/opt/SUNWspro6/SUNWspro/bin:/opt/netscape/netscape7/SUNWns:/home/aldrsh/bin:/opt/addpath/bin:/usr/ccs/bin:/usr/bin:/usr/ucb:/usr/openv/netbackup/bin:/opt/VRTSvmsa/bin:/opt/sudo/bin:/opt/local/bin:/usr/openv/netbackup/bin:/usr/lib:/sopt/dazel/local/bin::/opt/dcs/bin:/opt/dcs/adm:/opt/local/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/bin:/usr/sadm/install/bin:/opt/ncr/terajdbc/bin:/etc:/opt/EMCpower/bin/sparcv9:/opt/VRTSvcs/EMC/bin:/etc/emc/bin::/usr/dt/bin:/opt/smradmin/scheduler/dcssrv15eP:/opt/smradmin/bin:/home/unidats/UNI_DEVTOOLS/bin:/opt/oracle/local/bin:/opt11/matrix/local/bin:/usr/local/bin:/bin:/usr/ccs/bin
    PERL_BADLANG (unset)
    SHELL=/bin/ksh




nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About