Dear Ambrose, The ripe-dbase-2.0.4/README file writes: - perl has some build in checks for suid perl scripts. These are all taken care of, so dbupdate should not complain about not being able to do things because it is running suid or sgid. Have a look in the code for dbupdate to see what silly things one has to do to get around these checks ... kissg writes: This is not enough. ;-) Under Solaris 2.5, and with ... This is perl, version 5.003 with EMBED built under solaris at Sep 17 1996 16:40:19 + suidperl security patch I get: "Insecure dependency in open while running with -T switch at /usr/local/whois/lib/addkey.pl line 52." 52: if (open(OVERFLOWADD, ">>".$db[1].$OVERFLOWEXTENSION.$value)) { I tried at least six different tricks to avoid this message. No success. (Hardcoded direct setuid C wrapper is not included in the six.) Any suggestion? Gabor
Hi Gabor,
Gabor Kiss writes :
"Insecure dependency in open while running with -T switch at /usr/local/whois/lib/addkey.pl line 52."
52: if (open(OVERFLOWADD, ">>".$db[1].$OVERFLOWEXTENSION.$value)) {
I tried at least six different tricks to avoid this message. No success. (Hardcoded direct setuid C wrapper is not included in the six.)
Any suggestion?
$filename=~ Could you try this: in dbopen change: sub dbname { local(*entry)=@_; local($name)=$DBFILE{$entry{"so"}}; $name.=".".&entype(*entry) if ($SPLIT{$entry{"so"}}); print STDERR "dbname - name: $name\n" if ($opt_V); return $name; } to: sub dbname { local(*entry)=@_; local($name); # # untaint db file name $DBFILE{$entry{"so"}}=~ /(.*)/; $name=$1; $name.=".".&entype(*entry) if ($SPLIT{$entry{"so"}}); print STDERR "dbname - name: $name\n" if ($opt_V); return $name; } I have not tested this code. Please let me know if it works. No need to CC the whole db-wg mailing list since it is not really a design issue ... Note that I also found a couple of other (small) problems with perl5. As the documentation says: It looks like perl5 is working now but we don't give any guarantees and are interested in problems you might find. I will collect this stuff for one big patch file (including RPSL extensions) for Ambrose. David K. ---
participants (2)
-
davidk@isi.edu
-
Gabor Kiss