Re: [Expectperl-discuss] keyboard input

[Roland G. <r.g...@xs...>]

a-i...@no... wrote:
> 
> Thanks for your advices. well I have read perlsec and stuff about tainted
> variables. But I don't really have time to change my code since my course
> project is due this Thursday. I am just trying to implement this key and
> encryption functions besides the regular e-commerce site. Now I think I am
> getting closer to find out a working - but probably not as secure as it sounds
> - implementation. First of all when I run the cgi script as setuid (I have
> created the script as a root) I got this error message before generating the
> key
> 
> Insecure $ENV{PATH} while running setuid at
> /usr/lib/perl5/site_perl/5.6.0/Expect.pm line 114. This is where expect
> executes the spawn command.

Right.  And the error means that you haven't set or filtered the PATH.
When perl runs setuid root, it automatically enabels taint checking.
As the PATH comes from outside (not under perl's control), it is set
tainted, which means that it needs special treatment so as to not open
a security hole (by changing the PATH, an intruder could run arbitrary
programs as root).

The solution is simple: just set $ENV{PATH} to some fixed value appropriate
for your system inside your script, e.g. /bin:/usr/bin:/path/to/pgp
That way, the PATH becomes untainted and the exec succeeds.

Hope this helps,

Roland

PS: don't know if you are required to use PGP keys, but if not it would be
much easier just to give the customer a list of TANs upon sign-up and the
customer has to send one TAN with every e-mail order.  Creation of TANs
is very easy to do by yourself (just create them randomly from a dictionary
of letter and numbers, leaving out similar characters like 'l' and '1',
'0' and 'O', '8' and 'B'), it makes no difference if you store the PGP keys
or the TAN lists and the verification process isn't too different either.
But the customer has to get a new TAN list from time to time, when
the old ones are depleted.