[syslog-ng] Error: Insecure $ENV{PATH}
Alexander Clouter
ac56 at soas.ac.uk
Mon Feb 26 19:31:02 CET 2007
Hi,
"Marcus Vinícius S. Mendes" <marcusvi at cptec.inpe.br> [20070226 14:37:26 -0300]:
>
> Hello,
> I'm using a OpenSuse Linux 10.2 with kernel 2.6.18.2-34-default.
>
> I have a script in perl (hupsyslog) that need to get an environment
> variable.
> I'd gave permission of SUID to 'sperl' (that is a hard link to
> 'suidperl') as the system says.
> So now, I get this error message:
>
> Insecure $ENV{PATH} while running setuid at /usr/local/ldm/bin/hupsyslog
> line 24.
>
This is not a syslog-ng issue:
http://www.perl.com/doc/manual/html/pod/perlsec.html
> The line 24 is as follows:
>
> ($os,$hostname,$version) = split(/ /,`uname -a`);
>
> What can I do about this?
>
...what happens if someone can persuade the $ENV{PATH} to become:
PATH=/tmp/evilprograms:/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
The 'uname' that's run could be '/tmp/evilprograms/uname' instead of the
program you are expecting, '/bin/uname'.
To be honest you should be not executing programs from within programs as it
makes the code unportable and introduces security problems like the one I
just showed above.
You should use $^O/$OSNAME as stated in 'man perlfaq8'. There are other OS
independent ways to determine OS version and the hostname; I'll leave it to
you to discover them as an educational exercise :)
> The system looks let the script not use environment variables.
> Any hints?
>
Do not suidperl scripts...its usually asking for trouble in my book. What is
it that you are actually doing with the script that means it needs to be
suid? It screams alarm bells in my head that a pipe service for syslog-ng
needs this.
Often with a bit of thinking you can work around this problem but it really
depends on what you are trying to do.
Cheers
Alex
More information about the syslog-ng
mailing list