Re: [Expectperl-discuss] Disable Taint mode in Perl

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

My "requirement" is a script executed by ops user calls the perl file as ap=
p user (using suid only) =0A=0AHence perl taint mode is getting ON.=0A=0AI =
tried cleansing INC as mentioned. However it yet fails with cannot find pm =
in INC and shows only the default PERLLIB not the one set in the sh file. =
=0A=0APlease advise.=0A=0ARegards,=0AThomas=0A=0A=0AOn Thu, 04 Jan 2007 Chr=
is Snyder wrote :=0A>Normally taint mode is off by default.=0A>=0A>However =
according to perldoc perlsec, if perl notices that the real and=0A>effectiv=
e uids and/or gids differ, it will turn taint mode on.=0A>=0A>If you can ma=
ke sure that the real and effective uids/gids are the same,=0A>and make sur=
e you are not explicitly invoking taint mode (-T), you=0A>shouldn't have a =
problem.=0A>=0A>Otherwise I suppose a simple yet relatively niave way of de=
aling with=0A>this would be to do something like this:=0A>=0A>foreach my $k=
 (@INC)=0A>{=0A>     if($k =3D~ /(.*))=0A>     {$k =3D $1;}=0A>}=0A>=0A>Thi=
s should preserve @INC as it is, but at the same time convince perl=0A>that=
 you have "inspected" the values, and thus they are no longer=0A>tainted.=
=0A>=0A>Note that you have NOT inspected the values, at least not very=0A>t=
horoughly.=0A>=0A>Always remember, just because I think something is true, =
doesn't make it=0A>so.  If you take my advice, and it destroys your system,=
 I will feel=0A>badly.  I won't accept any responsibility, but I'll still f=
eel bad for=0A>you.=0A>=0A>Have a nice day,=0A>Chris=0A>=0A>On Thu, 2007-01=
-04 at 13:51 +0000, Thomas Rosario wrote:=0A> > Hi,=0A> > I am using Perl v=
 5.6.1 on HP-UX 11.11i=0A> >=0A> > Scenario is as follows:=0A> > 1. General=
 Ops user (opsusr) runs a C binary (mybin)=0A> > mybin (owner: app Mode: 47=
50 [SUID bit is set])=0A> > 2. The mybin file calls a shell script (myshell=
.sh) as app user=0A> > 3. myshell.sh sets the PERLLIB and calls a perl file=
 as app user=0A> >=0A> > Problem:=0A> > Perl complains about @INC since tai=
nt mode is on (effective user !=3D=0A> > real user)=0A> >=0A> > What I need=
:=0A> > Disable taint mode completely on the UX server... no worries about=
=0A> > security!=0A> >=0A> > Can this be achieved and how?=0A> >=0A> > Tx,=
=0A> > Thomas=0A=0A=0A