Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

perl dies if an early item in @INC is inaccessible #15133

Closed
p5pRT opened this issue Jan 19, 2016 · 4 comments
Closed

perl dies if an early item in @INC is inaccessible #15133

p5pRT opened this issue Jan 19, 2016 · 4 comments

Comments

@p5pRT
Copy link

p5pRT commented Jan 19, 2016

Migrated from rt.perl.org#127318 (status was 'rejected')

Searchable as RT127318$

@p5pRT
Copy link
Author

p5pRT commented Jan 19, 2016

From @toddr

Created by @toddr

on my system, user id is mail but any unpriveliged user should fail
this way if /root is inaccessible (chmod 0700 /root)

$>p14 -w -E' $> = 8; $< = 8; $) = 8; $( = 8; unshift @​INC,
qw{/root/foo/bar}; require strict;'

$>p22 -w -E' $> = 8; $< = 8; $) = 8; $( = 8; unshift @​INC,
qw{/root/foo/bar}; require strict;'
Can't locate strict.pm​: /root/foo/strict.pm​: Permission denied at -e line 1.

This was caused by a change made for RT​:
https://rt.perl.org/Public/Bug/Display.html?id=113422

While I really don't agree with the opening premise, maybe there's
additional background related to some sort of security issue?

Regardless the state of things now is that I can force a perl script
to fail by setting PERL5LIB to an inaccessible path. I'm not sure if
this is a good thing?

Perl Info


Flags:
    category=core
    severity=high



Site configuration information for perl 5.22.1:

Configured by cPanel at Thu Jan 14 22:55:46 CST 2016.

Summary of my perl5 (revision 5 version 22 subversion 1) configuration:



  Platform:
    osname=linux, osvers=2.6.32-431.29.2.el6.i686, archname=i386-linux-64int
    uname='linux rpmb-32-centos-65.dev.cpanel.net
2.6.32-431.29.2.el6.i686 #1 smp tue sep 9 20:14:52 utc 2014 i686 i686
i386 gnulinux '
    config_args='-des -Dusedevel -Darchname=i386-linux-64int
-Dcc=/usr/bin/gcc -Dcpp=/usr/bin/cpp -DDEBUGGING=none -Doptimize=-Os
-Dusemymalloc=n -Duseshrplib -Duselargefiles=yes -Duseposix=true
-Dhint=recommended -Duseperlio=yes -Dccflags=-DPERL_DISABLE_PMC
-I/usr/local/cpanel/3rdparty/perl/522/include
-L/usr/local/cpanel/3rdparty/perl/522/lib
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-Dcppflags=-I/usr/local/cpanel/3rdparty/perl/522/include
-L/usr/local/cpanel/3rdparty/perl/522/lib
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-Dldflags=-Wl,-rpath -Wl,/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/lib
-Dprefix=/usr/local/cpanel/3rdparty/perl/522
-Dsiteprefix=/opt/cpanel/perl5/522 -Dsitebin=/opt/cpanel/perl5/522/bin
-Dsitelib=/opt/cpanel/perl5/522/site_lib -Dusevendorprefix=true
-Dvendorbin=/usr/local/cpanel/3rdparty/perl/522/bin
-Dvendorprefix=/usr/local/cpanel/3rdparty/perl/522/lib/perl5
-Dvendorlib=/usr/local/cpanel/3rdparty/perl/522/lib/perl5/cpanel_lib
-Dprivlib=/usr/local/cpanel/3rdparty/perl/522/lib/perl5/5.22.1
-Dman1dir=none -Dman3dir=none
-Dscriptdir=/usr/local/cpanel/3rdparty/perl/522/bin
-Dscriptdirexp=/usr/local/cpanel/3rdparty/perl/522/bin
-Dsiteman1dir=none -Dsiteman3dir=none -Dinstallman1dir=none
-Dversiononly=no -Dinstallusrbinperl=no -Dcf_by=cPanel
-Dmyhostname=localhost -Dperladmin=root@localhost
-Dcf_email=support@cpanel.net
-Di_dbm=/usr/local/cpanel/3rdparty/include
-Di_gdbm=/usr/local/cpanel/3rdparty/include
-Di_ndbm=/usr/local/cpanel/3rdparty/include -DDB_File=true -Ud_dosuid
-Uuserelocatableinc -Umad -Uusethreads -Uusemultiplicity -Uusesocks
-Uuselongdouble -Aldflags=-L/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/lib -L/usr/lib -L/lib -lgdbm
-Dlocincpth=/usr/local/cpanel/3rdparty/perl/522/include
/usr/local/cpanel/3rdparty/include /usr/local/include  -Duse64bitint
-Uuse64bitall -Acflags=-fPIC -DPIC -m32
-I/usr/local/cpanel/3rdparty/perl/522/include
-I/usr/local/cpanel/3rdparty/include
-Dlibpth=/usr/local/cpanel/3rdparty/perl/522/lib
/usr/local/cpanel/3rdparty/lib /usr/local/lib /lib /usr/lib '
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=define, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef

  Compiler:
    cc='/usr/bin/gcc', ccflags ='-DPERL_DISABLE_PMC
-I/usr/local/cpanel/3rdparty/perl/522/include
-L/usr/local/cpanel/3rdparty/perl/522/lib
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-fwrapv -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
-D_FORTIFY_SOURCE=2',
    optimize='-Os',
    cppflags='-I/usr/local/cpanel/3rdparty/perl/522/include
-L/usr/local/cpanel/3rdparty/perl/522/lib
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-DPERL_DISABLE_PMC -I/usr/local/cpanel/3rdparty/perl/522/include
-L/usr/local/cpanel/3rdparty/perl/522/lib
-I/usr/local/cpanel/3rdparty/include -L/usr/local/cpanel/3rdparty/lib
-fwrapv -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
    ccversion='', gccversion='4.4.7 20120313 (Red Hat 4.4.7-4)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8,
byteorder=12345678, doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define,
longdblsize=12, longdblkind=3
    ivtype='long long', ivsize=8, nvtype='double', nvsize=8,
Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='/usr/bin/gcc', ldflags ='-Wl,-rpath
-Wl,/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/lib
-L/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/lib -L/usr/lib -L/lib -lgdbm
-fstack-protector -L/usr/local/lib'
    libpth=/usr/local/cpanel/3rdparty/perl/522/lib
/usr/local/cpanel/3rdparty/lib /usr/local/lib /lib /usr/lib
/usr/local/lib /usr/lib
    libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.12.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.12'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E
-Wl,-rpath,/usr/local/cpanel/3rdparty/perl/522/lib/perl5/5.22.1/i386-linux-64int/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -Os
-L/usr/local/cpanel/3rdparty/perl/522/lib
-L/usr/local/cpanel/3rdparty/lib -L/usr/lib -L/lib -L/usr/local/lib
-fstack-protector'

Locally applied patches:
    cPanel patches
    cPanel INC path changes
    Remove . from @INC


@INC for perl 5.22.1:
    /usr/local/cpanel
    /usr/local/cpanel/3rdparty/perl/522/lib/perl5/cpanel_lib/i386-linux-64int
    /usr/local/cpanel/3rdparty/perl/522/lib/perl5/cpanel_lib
    /usr/local/cpanel/3rdparty/perl/522/lib/perl5/5.22.1/i386-linux-64int
    /usr/local/cpanel/3rdparty/perl/522/lib/perl5/5.22.1
    /opt/cpanel/perl5/522/site_lib/i386-linux-64int
    /opt/cpanel/perl5/522/site_lib



Environment for perl 5.22.1:
    HOME=/root
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/local/cpanel/bin:/usr/local/cpanel/3rdparty/bin:/usr/local/cpanel/3rdparty/perl/522/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/cpanel/perl5/514/bin
    PERL_BADLANG (unset)
    SHELL=/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Jan 19, 2016

From zefram@fysh.org

Todd Rinaldo wrote​:

While I really don't agree with the opening premise, maybe there's
additional background related to some sort of security issue?

The old behaviour was very surprising, because it meant you could
silently get a module version that is contrary to what PERL5LIB was
configured for. This is a specific case of the general pattern that
it is usually dangerous to ignore errors. If you didn't really mean to
use the modules in /root/foo, you shouldn't have it in PERL5LIB.

Regardless the state of things now is that I can force a perl script
to fail by setting PERL5LIB to an inaccessible path. I'm not sure if
this is a good thing?

It's neither good nor bad, it's just a thing, and not a new thing.
You could always force a perl script to fail by setting PERL5LIB to point
at a directory containing nobbled versions of key modules. You could
also make it fail, even if it ignores the environmental PERL5LIB, by
setting memory-related resource limits too low. Or by LD_PRELOADing
something noxious. Or by sending it a signal it wasn't expecting.
And so on. There are, in general, a dizzying profusion of ways to
deliberately make a Unix program fail.

-zefram

@p5pRT
Copy link
Author

p5pRT commented Jan 19, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT p5pRT closed this as completed Mar 25, 2016
@p5pRT
Copy link
Author

p5pRT commented Mar 25, 2016

@iabyn - Status changed from 'open' to 'rejected'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant