Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#3909 need to add "." to @INC for suid support

All
open
nobody
None
5
2011-05-04
2011-05-04
Anonymous
No

When running under Apache with suid scripts, the @INC array does not include the current directory ("."). This breaks all sorts of stuff in semi-spectacular ways. :) I've resovled this by running through all of the scripts and adding "." to the push line in the BEGIN block, as in:

push(@INC, "..", ".")

This behavior is described in perlsec at "Taint mode and @INC". This also explains why setting PERLLIB or PERL5LIB in the Apache config doesn't help. :) I felt that updating the push was the simplest solution to this behavior.

Discussion

  • Jamie Cameron
    Jamie Cameron
    2011-05-04

    What goes wrong exactly if . is not in @INC ?

    Side question - why are you trying to run Webmin under Apache in the first place? If is poorly supported and offers very few benefits ..

     

  • Anonymous
    2011-05-04

    The "require webmin-lib.pl" doesn't work, which made a big chunk of modules misbehave. For example, a module would load, but the config link wouldn't work. The index page didn't work right. Things like that. I dind't spend a lot of time identifying everything that was broken, as it basically was a mess, and adding . to @INC fixed it. :)

    As far as why Apache:
    I need more flexible authentication. Unfortunately, I can't post in public the exact scenario, but the basic need is Kerberos ticket-based authentication. While the database back end support would allow my list of users to scale like I want (I'm looking at a user count in the tens of thousands, though probably under 100 simultaneously active), I can't legitimately integrate another password repository for users to keep track of. PAM support oesn't quite get me where I need to go, as the perl PAM module has caused substantial issues for us in the past (like the bug where users passwords were exposed ia syslog), it's a hassle to get the perl module installed, and our AD-PAM integration scheme essentially requires that users have local access to the system. I can either do a one-off PAM configuration for each system which hosts a webmin server, or use an existing technology to authenticate users via Apache..

    This is tied to my feature request for a flexible group membership plugin. I'd like to be able to make it so that we just define a few groups in Webmin with access control rules, and then enterprise users can use their existing credentials and defined roles to be mapped into Webmin without the need for an external script that keeps a separate user datase in sync.

    The other reason is that we already have a well-established mechanism for ensuring that Apache is up and running - and that it's configured consistently with ssl certificates, etc. And I'm really just using Webmin as a framework to support some custom modules to control some in-house tools. The only actual webmin modules I'm using are the custom commands module for a few things that don't justify a full new module, the log module to essentially audit stuff, and the acl module (through an external script) to auto-populate group memberships from AD groups. That, and the occasional foreign require to use functionality in the default modules.

    I understand that it's poorly supported, but I figure that I'm a decent perl developer, and the benefits to me currently outweigh the minor cost of tracking down a few minor problems. Besides, I'd hate for you to get bored. :)