Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rights problem with perl #9835

Open
p5pRT opened this issue Aug 17, 2009 · 5 comments
Open

rights problem with perl #9835

p5pRT opened this issue Aug 17, 2009 · 5 comments
Labels
distro-Linux type-core

Comments

@p5pRT
Copy link

p5pRT commented Aug 17, 2009

Migrated from rt.perl.org#68612 (status was 'open')

Searchable as RT68612$
@p5pRT
Copy link
Author

p5pRT commented Aug 17, 2009

From sstrickroth@gym-oha.de

Created by sstrickroth@gym-oha.de

This is a bug report for perl from sstrickroth@​gym-oha.de,
generated with the help of perlbug 1.36 running under perl 5.10.0.

-----------------------------------------------------------------
[apache@​proxy /tmp]$ id
uid=48(apache) gid=48(apache) groups=16(nagcmd),48(apache)
[apache@​proxy /tmp]$ cat bug.pl
#!/usr/bin/perl
use File​::Copy;
print copy("/usr/www/cgi-bin/daten/newsanzeiger/Projekttag.jpg","/tmp/1")."\n";
system("cat /usr/www/cgi-bin/daten/newsanzeiger/Projekttag.jpg");
[apache@​proxy /tmp]$ mount
//fileserver/newsanzeiger on /usr/www/cgi-bin/daten/newsanzeiger type cifs (ro,mand,noexec,nosuid,nodev)
[apache@​proxy /tmp]$ ls -las /usr/www/cgi-bin/daten/newsanzeiger/Projekttag.jpg
68 -rwxrwx--- 1 root apache 63913 Aug 17 14​:58 /usr/www/cgi-bin/daten/newsanzeiger/Projekttag.jpg
[apache@​proxy /tmp]$ head /usr/www/cgi-bin/daten/newsanzeiger/Projekttag.jpg
ÿØÿàJFIFÿÛC
$.' ",#(7),01444'9=82<.342ÿÛC
2!!22222222222222222222222222222222222222222222222222ÿÐÀ"ÿÄÄÿÚ
å\]Lªå°2ÇÚ¹"ÒI<°2ÀË,»U$R
񒫪,
...
[apache@​proxy /tmp]$ ./bug.pl
1
cat​: /usr/www/cgi-bin/daten/newsanzeiger/Projekttag.jpg​: Permission denied
[apache@​proxy /tmp]$

User/group apache has the rights to open that file, but with perl​: no.

Perl Info 

Flags:
    category=core
    severity=critical

Site configuration information for perl 5.10.0:

Configured by Mandriva at Thu Apr  9 15:16:51 MEST 2009.

Summary of my perl5 (revision 5 version 10 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.6.29.1-grsec, archname=i386-linux-thread-multi
    uname='linux sven 2.6.29.1-grsec #2 smp wed apr 8 22:30:03 mest 2009 i686 intel(r) core(tm)2 quad cpu q6600 @ 2.40ghz gnulinux '
    config_args='-des -Dinc_version_list=5.8.8 5.8.7 5.8.6 5.8.5 5.8.4 5.8.3 5.8.2 5.8.1 5.8.0 5.6.1 5.6.0 -Darchname=i386-linux -Dcc=i586-mrtux-linux-gnu-gcc -Doptimize=-O2  -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -fomit-frame-pointer -march=i586 -mtune=generic -fasynchronous-unwind-tables -DDEBUGGING=-g -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr -Dsitebin=/usr/local/bin -Dsiteman1dir=/usr/local/share/man/man1 -Dsiteman3dir=/usr/local/share/man/man3 -Dman3ext=3pm -Dcf_by=MrTux -Dmyhostname=localhost -Dperladmin=root@localhost -Dcf_email=root@localhost -Dd_dosuid -Ud_csh -Duseshrplib -Duseithreads -Di_db -Di_ndbm -Di_gdbm'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='i586-mandriva-linux-gnu-gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    optimize='-O2 -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -fomit-frame-pointer -march=i586 -mtune=generic -fasynchronous-unwind-tables -g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -I/usr/local/include -I/usr/include/gdbm'
    ccversion='', gccversion='4.3.2', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='i586-mandriva-linux-gnu-gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=/lib/libc-2.8.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.8'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/5.10.0/i386-linux-thread-multi/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -O2 -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -fomit-frame-pointer -march=i586 -mtune=generic -fasynchronous-unwind-tables -g -L/usr/local/lib'

Locally applied patches:
    Mandriva Linux patches


@INC for perl 5.10.0:
    /usr/lib/perl5/site_perl/5.10.0/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.10.0
    /usr/lib/perl5/vendor_perl/5.10.0/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.10.0
    /usr/lib/perl5/5.10.0/i386-linux-thread-multi
    /usr/lib/perl5/5.10.0
    /usr/lib/perl5/site_perl
    /usr/lib/perl5/vendor_perl/5.8.8
    /usr/lib/perl5/vendor_perl/5.8.7
    /usr/lib/perl5/vendor_perl/5.8.5
    /usr/lib/perl5/vendor_perl
    .


Environment for perl 5.10.0:
    HOME=/home/sstrickroth
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/games:/home/sstrickroth/bin
    PERL_BADLANG (unset)
    SHELL=/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Aug 18, 2009

From @moritz

On Mon Aug 17 11​:40​:43 2009, sstrickroth@​gym-oha.de wrote​:

User/group apache has the rights to open that file, but with perl​: no.

Is selinux or a similar security feature enabled on that machine?

Moritz

@p5pRT
Copy link
Author

p5pRT commented Aug 18, 2009

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Aug 18, 2009

From @tonycoz

On Mon, Aug 17, 2009 at 11​:40​:43AM -0700, sstrickroth@​gym-oha.de (via RT) wrote​:

[apache@​proxy /tmp]$ id
uid=48(apache) gid=48(apache) groups=16(nagcmd),48(apache)
[apache@​proxy /tmp]$ cat bug.pl
#!/usr/bin/perl
use File​::Copy;
print copy("/usr/www/cgi-bin/daten/newsanzeiger/Projekttag.jpg","/tmp/1")."\n";
system("cat /usr/www/cgi-bin/daten/newsanzeiger/Projekttag.jpg");
[apache@​proxy /tmp]$ mount
//fileserver/newsanzeiger on /usr/www/cgi-bin/daten/newsanzeiger type cifs (ro,mand,noexec,nosuid,nodev)
[apache@​proxy /tmp]$ ls -las /usr/www/cgi-bin/daten/newsanzeiger/Projekttag.jpg
68 -rwxrwx--- 1 root apache 63913 Aug 17 14​:58 /usr/www/cgi-bin/daten/newsanzeiger/Projekttag.jpg
[apache@​proxy /tmp]$ head /usr/www/cgi-bin/daten/newsanzeiger/Projekttag.jpg
ÿØÿàJFIFÿÛC
$.' ",#(7),01444'9=82<.342ÿÛC
2!!22222222222222222222222222222222222222222222222222ÿÐÀ"ÿÄÄÿÚ
å\]Lªå°2ÇÚ¹"ÒI<°2ÀË,»U$R
񒫪,
...
[apache@​proxy /tmp]$ ./bug.pl
1

This indicates the call to copy() was successful.

Is the output file the correct size and content?

cat​: /usr/www/cgi-bin/daten/newsanzeiger/Projekttag.jpg​: Permission denied

But cat failed.

[apache@​proxy /tmp]$

User/group apache has the rights to open that file, but with perl​: no.

I do wonder if bug.pl is setuid, but copy succeeding and cat failing
seems contradictory anyway.

--
Tony

@p5pRT
Copy link
Author

p5pRT commented Aug 18, 2009

From sven.strickroth@tu-clausthal.de

Hi,

Am 18.08.2009 10​:40 schrieb Moritz Lenz via RT​:

On Mon Aug 17 11​:40​:43 2009, sstrickroth@​gym-oha.de wrote​:

User/group apache has the rights to open that file, but with perl​: no.

Is selinux or a similar security feature enabled on that machine?

No, GRSecurity is compiled in, but RBAC is disabled.

--
Best regards,
Sven
ClamAV, a GPL anti-virus toolkit http​://www.clamav.net

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
distro-Linux type-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xenu @p5pRT