2008年8月26日星期二

note: security validation in perl

今天同事碰到一个奇怪的问题, 在debian/etch 下restart/stop/start postgresql-8.1 时无法成功:
Restarting PostgreSQL 8.1 database server: main* Insecure directory in $ENV{PATH} while running with -T switch at /usr/bin/pg_ctlcluster line 352.
Insecure directory in $ENV{PATH} while running with -T switch at /usr/bin/pg_ctlcluster line 360.(does not shutdown gracefully, now stopping immediately)
failed!
首先是以为postgresql出了问题, 所以在google中寻找有postgresql关键字的信息, 没有太多有用内容, 只找到了
http://archives.postgresql.org/pgsql-admin/2006-10/msg00219.php


提议将/usr/bin/pg_ctlcluster 中第一行的 "#!/usr/bin/perl -wT" 改成 "#!/usr/bin/perl -wt", 但是这个建议显然非常hacky, 根据 (不熟悉perl :( ):

http://www252.pair.com/comdog/mastering_perl/Chapters/03.taint-checking.html

现在看来肯定是$ENV{PATH}存在安全隐患, 而根据'perlsec' page (i.e. Perl security help):

For "Insecure $ENV{PATH}" messages, you need to set $ENV{'PATH'} to a known value, and each directory in the path must be non-writable by others than its owner and group.
看来这个问题就来源与可能有人修改了环境变量PATH中对应目录列表的权限, 果不其然, /usr/local/bin被修改:
drwxrwxrwx 2 root staff 4.0K 2007-12-25 16:43 bin
drwxrwxrwx 2 root staff 4.0K 2007-12-25 16:43 etc
drwxrwxrwx 2 root staff 4.0K 2007-12-25 16:43 games
drwxrwxrwx 2 root staff 4.0K 2007-12-25 16:43 include
drwxrwxrwx 5 root staff 4.0K 2008-08-25 13:57 lib
drwxrwxrwx 5 root staff 4.0K 2008-08-01 13:43 lps-3.1
lrwxrwxrwx 1 root staff 9 2007-12-25 16:43 man -> share/man
drwxrwxrwx 2 root staff 4.0K 2007-12-25 16:43 sbin
drwxrwxrwx 8 root staff 4.0K 2008-08-25 13:58 share
drwxrwxrwx 2 root staff 4.0K 2007-12-25 16:43 src
如此的安全隐患检查的确很有意思 :P

没有评论: