Received: with ECARTIS (v1.0.0; list gopher);
 Sat, 30 Jun 2007 09:37:58 -0500 (CDT)
Received: from static-71-170-11-156.dllstx.dsl-w.verizon.net ([71.170.11.156]
 helo=turquoise.pongonova.net)
	by glockenspiel.complete.org with esmtp
	(Exim 4.63)
	id 1I4e5E-0000Qj-BC
	for gopher@complete.org; Sat, 30 Jun 2007 09:37:57 -0500
Received: by turquoise.pongonova.net (Postfix, from userid 1000)
	id 297C4674; Sat, 30 Jun 2007 08:40:16 -0500 (CDT)
Date: Sat, 30 Jun 2007 08:40:15 -0500
From: brian@pongonova.net
To: gopher@complete.org
Subject: [gopher] Re: Bucktooth questions
Message-ID: <20070630134015.GA6348@pongonova.net>
References: <20070630062739.GB5388@pongonova.net>
 <200706301409.l5UE9ZBY015354@floodgap.com>
Mime-Version: 1.0
Content-type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200706301409.l5UE9ZBY015354@floodgap.com>
User-Agent: Mutt/1.5.5.1i
X-Spam-Status: No (score 0.6): AWL=0.000, NO_REAL_NAME=0.55
X-Virus-Scanned: by Exiscan on glockenspiel.complete.org at Sat,
 30 Jun 2007 09:37:57 -0500
Content-Transfer-Encoding: 8bit
X-archive-position: 1633
X-ecartis-version: Ecartis v1.0.0
Sender: gopher-bounce@complete.org
Errors-to: gopher-bounce@complete.org
X-original-sender: brian@pongonova.net
Precedence: bulk
Reply-to: gopher@complete.org
List-help: <mailto:ecartis@complete.org?Subject=help>
List-unsubscribe: <mailto:gopher-request@complete.org?Subject=unsubscribe>
List-software: Ecartis version 1.0.0
List-Id: Gopher <gopher.complete.org>
X-List-ID: Gopher <gopher.complete.org>
List-subscribe: <mailto:gopher-request@complete.org?Subject=subscribe>
List-owner: <mailto:jgoerzen@complete.org>
List-post: <mailto:gopher@complete.org>
List-archive: <http://www.complete.org/mailinglists/archives/>
X-list: gopher

On Sat, Jun 30, 2007 at 07:09:35AM -0700, Cameron Kaiser wrote:
> > Well, finally got around to setting up Bucktooth.  Right now I'm
> > testing on an iBook, but will end up running everything on a Linux
> > box.  I'm running under xinetd as user "www".  I had to make the
> > following mods to buckd to get things to work under setgid:

Cameron--

It's not your code (but forcing it to run under taint mode might be a
good idea).  It's just Perl saying "Hey, in case you didn't realize
it, I'm running this in taint mode, even though you didn't specify -T,
and you'll have to live with it."  Living with "it" means doing things
like untaininting $ENV{PATH} (even if it's not used -- a requirement
when calling exec(), because an exec'd() process would have access to
whatever is in $ENV{PATH}).

Let's see...perl version is 5.8.1.  

Here are a couple of error messages:

* No -s allowed while running setgid.
* Insecure dependency in exec while running setgid at /usr/local/bin/buckd line 2 79, <STDIN> line 1.
* Insecure $ENV{PATH} while running setgid at /usr/local/bin/buckd line 277, <STD IN> line 1.

Here were the changes to get things working:

--- buckd.orig  Sat Jun 30 09:27:18 2007
+++ buckd   Sat Jun 30 09:25:27 2007
@@ -1,4 +1,4 @@
-#!/usr/bin/perl -s
+#!/usr/bin/perl
    
 #####################################################################
 # Bucktooth 0.2.1 (c)1999, 2001-2006 Cameron Kaiser                 #
@@ -65,6 +65,18 @@
        exit;
    }
    ($request, $dinfo) = split(/\?/, $orq, 2);
+   if ($dinfo =~ /^([ -\@\w.]+)$/) {
+       $dinfo = $1; 
+   } elsif($dinfo) { 
+       &log("Bad data in \$dinfo: '$dinfo'");
+       exit;
+   }
+   if ($request =~ /^([\/-\@\w.]+)$/) {
+       $request = $1; 
+   } elsif($request) {
+       &log("Bad data in \$request: '$request'");
+       exit;
+   }
    
    $request =~ s/%([a-fA-F0-9]{2})/pack("H2", $1)/eg;
    # $request must be absolute ...
@@ -258,6 +270,7 @@
    $ENV{'SERVER_PORT'} = $MYPORT;
    $ENV{'SELECTOR'} = $orq;
    $ENV{'GPLUS'} = $gplus;
+   $ENV{'PATH'} =  $DIR;
    &fixgplus;
    &log("\"$orq\" ${gplus}[200 \"$locator\" \"$dinfo\" executed]");
    $ENV{'REQUEST'} = $request;