chetal@pyrps5.pyramid.com (Pradeep Chetal) (06/17/91)
I have a perl script which runs fine if I run it at shell level. However when I pipe stuff to it as a "shell command" in emacs I get the message: Insecure PATH at ppr line 18. Insecure PATH at ppr line 81. These two correspond to chop($hostname = `hostname`); AND system($comamnd); respectively. The perl I had built fine with slight modifications to Configure script to get the libraries, etc BUT there were no other changes. This is This is perl, version 4.0 $Header: perl.c,v 4.0 91/03/20 01:37:44 lwall Locked $ Patch level: 0 Copyright (c) 1989, 1990, 1991, Larry Wall Perl may be copied only under the terms of the GNU General Public License, a copy of which can be found with the Perl 4.0 distribution kit. Do I have to do anything special here sothat the same script runs from emacs Shell command also. /Pradeep -- ------------------------------------------------------------------------------ Pradeep Chetal UUCP: ...!{decwrl,sun,uunet}!pyramid!chetal M/S 24 Internet: chetal@pyramid.com Pyramid Technology Phone: (415) 335-8227 (O) 1295 Charleston Road (415) 961-9789 (H) Mountain View, CA 94043 (415) 335-8845 (FAX)
tchrist@convex.COM (Tom Christiansen) (06/17/91)
From the keyboard of chetal@pyrps5.pyramid.com (Pradeep Chetal): :I have a perl script which runs fine if I run it at shell level. :However when I pipe stuff to it as a "shell command" in emacs I get :the :message: : :Insecure PATH at ppr line 18. :Insecure PATH at ppr line 81. : :These two correspond to : chop($hostname = `hostname`); : AND : system($comamnd); :respectively. The perl I had built fine with slight modifications to :Configure script to get the libraries, etc BUT there were no other :changes. This is : :This is perl, version 4.0 : :$Header: perl.c,v 4.0 91/03/20 01:37:44 lwall Locked $ :Patch level: 0 Sounds like an evil emacs running set[ug]id. What does id say? Here's the one from the camel book in case you don't have one. #!/usr/bin/perl # Usage: id sub u { local($name) = getpwuid($_[0]); $name && "($name)";} sub g { local($name) = getgrgid($_[0]); $name && "($name)";} sub bynum { $a <=> $b; } print "uid=$<", &u($<); print " gid=", $(+0, &g($(); print " euid=$>", &u($>) if $> != $<; print " egid=", $)+0, &g($)) if $) != $(; @groups=split(' ', $(); shift(@groups); @groups && print " groups=", join(',', sort bynum grep(($_ .= &g($_)) || 1, @groups)); print "\n"; --tom -- Tom Christiansen tchrist@convex.com convex!tchrist "So much mail, so little time."
chetal@pyrps5.pyramid.com (Pradeep Chetal) (06/17/91)
In article <1991Jun16.212315.4751@convex.com> tchrist@convex.COM (Tom Christiansen) writes:
From the keyboard of chetal@pyrps5.pyramid.com (Pradeep Chetal):
:I have a perl script which runs fine if I run it at shell level.
:However when I pipe stuff to it as a "shell command" in emacs I get
:the
:message:
:
:Insecure PATH at ppr line 18.
:Insecure PATH at ppr line 81.
:
:These two correspond to
: chop($hostname = `hostname`);
: AND
: system($comamnd);
:respectively. The perl I had built fine with slight modifications to
:Configure script to get the libraries, etc BUT there were no other
:changes. This is
:
:This is perl, version 4.0
:
:$Header: perl.c,v 4.0 91/03/20 01:37:44 lwall Locked $
:Patch level: 0
Sounds like an evil emacs running set[ug]id. What does id say?
Here's the one from the camel book in case you don't have one.
#!/usr/bin/perl
# Usage: id
sub u { local($name) = getpwuid($_[0]); $name && "($name)";}
sub g { local($name) = getgrgid($_[0]); $name && "($name)";}
sub bynum { $a <=> $b; }
print "uid=$<", &u($<);
print " gid=", $(+0, &g($();
print " euid=$>", &u($>) if $> != $<;
print " egid=", $)+0, &g($)) if $) != $(;
@groups=split(' ', $(); shift(@groups);
@groups && print " groups=",
join(',', sort bynum grep(($_ .= &g($_)) || 1, @groups));
print "\n";
It is a setgid emacs running on the system.
It also shows the egid when I run the "id" script
via "emacs" as a Shell command. Since I do NOT have
any control over the emacs, can I change the programming style so that
I do NOT get the "Insecure PATH" problem. OR I should avoid such
programming practice.
Thanks,
/Pradeep
--
------------------------------------------------------------------------------
Pradeep Chetal UUCP: ...!{decwrl,sun,uunet}!pyramid!chetal
M/S 24 Internet: chetal@pyramid.com
Pyramid Technology Phone: (415) 335-8227 (O)
1295 Charleston Road (415) 961-9789 (H)
Mountain View, CA 94043 (415) 335-8845 (FAX)
tchrist@convex.COM (Tom Christiansen) (06/17/91)
From the keyboard of chetal@pyrps5.pyramid.com (Pradeep Chetal): :It is a setgid emacs running on the system. :It also shows the egid when I run the "id" script :via "emacs" as a Shell command. Since I do NOT have :any control over the emacs, can I change the programming style so that :I do NOT get the "Insecure PATH" problem. OR I should avoid such :programming practice. I smell a security hole. emacs should not run sgid, and if it really must, it should do a setgid(getgid()) before and fork/execs. If you're going to make a special group for protection, why let anyone who wants to run in it whenever they wish? --tom -- Tom Christiansen tchrist@convex.com convex!tchrist "So much mail, so little time."
chetal@pyrps5.pyramid.com (Pradeep Chetal) (06/17/91)
In article <1991Jun17.011615.13952@convex.com> tchrist@convex.COM (Tom Christiansen) writes:
From the keyboard of chetal@pyrps5.pyramid.com (Pradeep Chetal):
:It is a setgid emacs running on the system.
:It also shows the egid when I run the "id" script
:via "emacs" as a Shell command. Since I do NOT have
:any control over the emacs, can I change the programming style so that
:I do NOT get the "Insecure PATH" problem. OR I should avoid such
:programming practice.
I smell a security hole. emacs should not run sgid, and if it really
must, it should do a setgid(getgid()) before and fork/execs. If you're
going to make a special group for protection, why let anyone who wants to
run in it whenever they wish?
Looking at the "shell-command" in emacs, it just does a
shell "-c" command
so it does NOT do any set[ud]id(get[ug]id()). I will talk to the
admin here.
Thanks for your help,
/Pradeep
--
------------------------------------------------------------------------------
Pradeep Chetal UUCP: ...!{decwrl,sun,uunet}!pyramid!chetal
M/S 24 Internet: chetal@pyramid.com
Pyramid Technology Phone: (415) 335-8227 (O)
1295 Charleston Road (415) 961-9789 (H)
Mountain View, CA 94043 (415) 335-8845 (FAX)
tchrist@convex.COM (Tom Christiansen) (06/18/91)
The folks here report that as distributed, emacs leaves the wrong perms on. We locally fixed it. If I were into conspiracy theories, I'd wonder whether RMS intended this feature as a way for crackers to break into your system using GNU emacs. Of course, it's quite possible he never thought of it. --tom -- Tom Christiansen tchrist@convex.com convex!tchrist "So much mail, so little time."
jv@mh.nl (Johan Vromans) (06/18/91)
In article <1991Jun17.191832.15997@convex.com> tchrist@convex.COM (Tom Christiansen) writes:
: The folks here report that as distributed, emacs leaves the wrong perms
: on.
As far as I know, it leaves the mode at 0777. Not set[ug]id.
: I'd wonder
: whether RMS intended this feature as a way for crackers to break into your
: system using GNU emacs. Of course, it's quite possible he never thought
: of it.
RMS believes in cooperative users.
Johan
--
Johan Vromans jv@mh.nl via internet backbones
Multihouse Automatisering bv uucp: ..!{uunet,hp4nl}!mh.nl!jv
Doesburgweg 7, 2803 PL Gouda, The Netherlands phone/fax: +31 1820 62911/62500
------------------------ "Arms are made for hugging" -------------------------
scott@castle.ed.ac.uk (Scott Larnach) (06/19/91)
I got this error from a perl script I wrote yesterday as glue between inews and (a slightly hacked version of) Rich $alz's news->mail code. It's tickled presumably because it's called (via the sys file) from inews, which is setuid news & setgid news. It complained about the following line: $status = system "./news2mail $listname $listaddr $sender $domain"; All four variables are derived from static data from within the script, and none contain shell metacharacters. The "./" is taken care of by doing a chdir($libdir) || die "Can't chdir($libdir): $!\n"; To my mind, this seems secure enough. I made the complaint go away by $< = $>; $( = $); i.e. setting real uid and gid to news. Does anyone see any problems with doing this? Scott -- this is not a signature
rbj@uunet.uu.net (Root Boy Jim) (06/20/91)
In article <1991Jun17.191832.15997@convex.com> tchrist@convex.COM (Tom Christiansen) writes: >The folks here report that as distributed, emacs leaves the wrong perms Emacs isn't distributed with any permissions. You have to build it. You have to install it. And you have the opportunity to change it. >on. We locally fixed it. If I were into conspiracy theories, I'd wonder >whether RMS intended this feature as a way for crackers to break into your >system using GNU emacs. Of course, it's quite possible he never thought >of it. Emacs 18.55 and previous versions ran setuid kmem so they could grovel and scrape the load average out of the kernel. Presumably, there was enuf objection so that in later versions, a separate program does so instead. Extend the privilege only as far as necessary. >--tom >-- >Tom Christiansen tchrist@convex.com convex!tchrist > "So much mail, so little time." So much news, so little time. -- [rbj@uunet 1] stty sane unknown mode: sane
lwall@jpl-devvax.jpl.nasa.gov (Larry Wall) (06/20/91)
In article <11178@castle.ed.ac.uk> scott@castle.ed.ac.uk (Scott Larnach) writes:
: I got this error from a perl script I wrote yesterday as glue between
: inews and (a slightly hacked version of) Rich $alz's news->mail code.
: It's tickled presumably because it's called (via the sys file) from
: inews, which is setuid news & setgid news. It complained about the
: following line:
:
: $status = system "./news2mail $listname $listaddr $sender $domain";
:
: All four variables are derived from static data from within the script,
: and none contain shell metacharacters. The "./" is taken care of by doing
: a
:
: chdir($libdir) || die "Can't chdir($libdir): $!\n";
:
: To my mind, this seems secure enough. I made the complaint go away by
:
: $< = $>;
: $( = $);
:
: i.e. setting real uid and gid to news. Does anyone see any problems
: with doing this?
It's better to suppress the message by setting $ENV{PATH} to a known value.
Perl has no way of knowing whether news2mail is a shell script that
depends on PATH in an insecure fashion.
If you know that news2mail is secure, another way to bypass the check would
be to say
$status = system "./news2mail", $listname, $listaddr, $sender, $domain;
It's still safer to set the path, though.
Larry