Skip Menu |

This queue is for tickets about the Crypt-RSA CPAN distribution.

Report information
The Basics
Id: 37862
Status: resolved
Priority: 0/
Queue: Crypt-RSA
People
Owner: Nobody in particular
Requestors: Russell.Reed [...] acxiom.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Jul 22 17:14:47 2008 Russell.Reed [...] acxiom.com - Ticket created
Subject: Crypt::RSA doesn't work under setuid Perl
Date: Tue, 22 Jul 2008 16:13:55 -0500
To: <bug-Crypt-RSA [...] rt.cpan.org>
From: "Reed Russell - rreed" <Russell.Reed [...] acxiom.com>
The following two lines in Crypt::RSA and several of the related modules cause Perl to abort when running setuid: use FindBin qw($Bin); use lib "$Bin/../../lib"; Are these possibly in there to support the test scripts? Can they be removed and a different method used instead? Russell Reed | A c x i o m R e c o g n i t i o n 501-342-8624 office | 501-342-3934 fax 301 E. Dave Ward Drive | Conway, AR 72034 | USA | www.acxiom.com ACXIOM(r) WE MAKE INFORMATION INTELLIGENTTM *************************************************************************** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. ****************************************************************************
  Tue Jul 22 18:37:27 2008 VIPUL [...] cpan.org - Correspondence added
Yes, this is for making test scripts work, perhaps I can remove the FindBin entirely and only use "make test" to run the test suite. I am not sure why it breaks setuid though. If you have pointers/suggestions please add them to this bug. I'll try to look at this soon. On Tue Jul 22 17:14:47 2008, Russell.Reed@acxiom.com wrote: Show quoted text
> The following two lines in Crypt::RSA and several of the related modules > cause Perl to abort when running setuid: > > use FindBin qw($Bin); > use lib "$Bin/../../lib"; > > > Are these possibly in there to support the test scripts? Can they be > removed and a different method used instead? > > > Russell Reed | A c x i o m R e c o g n i t i o n > > 501-342-8624 office | 501-342-3934 fax > 301 E. Dave Ward Drive | Conway, AR 72034 | USA | www.acxiom.com > > > > ACXIOM(r) WE MAKE INFORMATION INTELLIGENTTM >
*************************************************************************** Show quoted text
> The information contained in this communication is confidential, is > intended only for the use of the recipient named above, and may be legally > privileged. > > If the reader of this message is not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is strictly prohibited. > > If you have received this communication in error, please resend this > communication to the sender and delete the original message or any copy > of it from your computer system. > > Thank You. >
****************************************************************************
  Tue Jul 22 18:37:30 2008 The RT System itself - Status changed from 'new' to 'open'
  Wed Jul 23 10:21:46 2008 Russell.Reed [...] acxiom.com - Correspondence added
Subject: RE: [rt.cpan.org #37862] Crypt::RSA doesn't work under setuid Perl
Date: Wed, 23 Jul 2008 09:14:41 -0500
To: <bug-Crypt-RSA [...] rt.cpan.org>
From: "Reed Russell - rreed" <Russell.Reed [...] acxiom.com>
The reason it breaks setuid is that Perl's tainting feature doesn't allow a 'use' or 'require' that depends on the caller's environment and thus could allow the caller to get their own code executed as the more privileged user. For example, with FindBin being used to add a library path relative to the script, an attacker could use a hard link to get his own code executed. He'd just need to create a hard link for the setuid script in a directory he controlled, and then create a modified version of a module like Crypt::RSA::Key in that same directory tree, with his code included. Can you move the FindBin code into the test scripts instead? It looks to me like the test scripts are already including the lib directory into their search path, anyway, though you might have a scenario where you need FindBin still. Thanks, Russell *************************************************************************** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. ****************************************************************************
  Wed Jul 23 15:48:27 2008 Russell.Reed [...] acxiom.com - Correspondence added
Subject: RE: [rt.cpan.org #37862] Crypt::RSA doesn't work under setuid Perl
Date: Wed, 23 Jul 2008 14:47:51 -0500
To: <bug-Crypt-RSA [...] rt.cpan.org>
From: "Reed Russell - rreed" <Russell.Reed [...] acxiom.com>
Steps to reproduce, just in case. 1. Create the following test script, test1.pl #! /usr/bin/perl use Crypt::RSA; print "Here\n"; __END__ 2. Make the script setuid Show quoted text
> chmod u+s test1.pl
3. Run the script, as a different user Show quoted text
-----Original Message----- From: VIPUL via RT [mailto:bug-Crypt-RSA@rt.cpan.org] Sent: Tuesday, July 22, 2008 5:38 PM To: Reed Russell - rreed Subject: [rt.cpan.org #37862] Crypt::RSA doesn't work under setuid Perl <URL: http://rt.cpan.org/Ticket/Display.html?id=37862 > Yes, this is for making test scripts work, perhaps I can remove the FindBin entirely and only use "make test" to run the test suite. I am not sure why it breaks setuid though. If you have pointers/suggestions please add them to this bug. I'll try to look at this soon. On Tue Jul 22 17:14:47 2008, Russell.Reed@acxiom.com wrote:
> The following two lines in Crypt::RSA and several of the related > modules cause Perl to abort when running setuid: > > use FindBin qw($Bin); > use lib "$Bin/../../lib"; > > > Are these possibly in there to support the test scripts? Can they be > removed and a different method used instead? > > > Russell Reed | A c x i o m R e c o g n i t i o n > > 501-342-8624 office | 501-342-3934 fax > 301 E. Dave Ward Drive | Conway, AR 72034 | USA | www.acxiom.com > > > > ACXIOM(r) WE MAKE INFORMATION INTELLIGENTTM >
************************************************************************ ***
> The information contained in this communication is confidential, is > intended only for the use of the recipient named above, and may be > legally privileged. > > If the reader of this message is not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of > this communication is strictly prohibited. > > If you have received this communication in error, please resend this > communication to the sender and delete the original message or any > copy of it from your computer system. > > Thank You. >
************************************************************************ ****
  Thu Sep 04 09:19:16 2008 ruff [...] ukrpost.net - Correspondence added
From: ruff [...] ukrpost.net
Crypt::RSA also fails with FindBin when you're modifying $0 variable (setproctitle). As temporary workaround I commented out all uses of FindBin and next use lib...
  Sun Jun 07 17:56:53 2009 VIPUL [...] cpan.org - Correspondence added
1.99 fixes this. FindBin has been moved to test scripts.
  Sun Jun 07 17:56:54 2009 VIPUL [...] cpan.org - Status changed from 'open' to 'resolved'