Received: with ECARTIS (v1.0.0; list gopher); Sat, 30 Jun 2007 09:37:58 -0500 (CDT) Received: from static-71-170-11-156.dllstx.dsl-w.verizon.net ([71.170.11.156] helo=turquoise.pongonova.net) by glockenspiel.complete.org with esmtp (Exim 4.63) id 1I4e5E-0000Qj-BC for gopher@complete.org; Sat, 30 Jun 2007 09:37:57 -0500 Received: by turquoise.pongonova.net (Postfix, from userid 1000) id 297C4674; Sat, 30 Jun 2007 08:40:16 -0500 (CDT) Date: Sat, 30 Jun 2007 08:40:15 -0500 From: brian@pongonova.net To: gopher@complete.org Subject: [gopher] Re: Bucktooth questions Message-ID: <20070630134015.GA6348@pongonova.net> References: <20070630062739.GB5388@pongonova.net> <200706301409.l5UE9ZBY015354@floodgap.com> Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200706301409.l5UE9ZBY015354@floodgap.com> User-Agent: Mutt/1.5.5.1i X-Spam-Status: No (score 0.6): AWL=0.000, NO_REAL_NAME=0.55 X-Virus-Scanned: by Exiscan on glockenspiel.complete.org at Sat, 30 Jun 2007 09:37:57 -0500 Content-Transfer-Encoding: 8bit X-archive-position: 1633 X-ecartis-version: Ecartis v1.0.0 Sender: gopher-bounce@complete.org Errors-to: gopher-bounce@complete.org X-original-sender: brian@pongonova.net Precedence: bulk Reply-to: gopher@complete.org List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: Gopher X-List-ID: Gopher List-subscribe: List-owner: List-post: List-archive: X-list: gopher On Sat, Jun 30, 2007 at 07:09:35AM -0700, Cameron Kaiser wrote: > > Well, finally got around to setting up Bucktooth. Right now I'm > > testing on an iBook, but will end up running everything on a Linux > > box. I'm running under xinetd as user "www". I had to make the > > following mods to buckd to get things to work under setgid: Cameron-- It's not your code (but forcing it to run under taint mode might be a good idea). It's just Perl saying "Hey, in case you didn't realize it, I'm running this in taint mode, even though you didn't specify -T, and you'll have to live with it." Living with "it" means doing things like untaininting $ENV{PATH} (even if it's not used -- a requirement when calling exec(), because an exec'd() process would have access to whatever is in $ENV{PATH}). Let's see...perl version is 5.8.1. Here are a couple of error messages: * No -s allowed while running setgid. * Insecure dependency in exec while running setgid at /usr/local/bin/buckd line 2 79, line 1. * Insecure $ENV{PATH} while running setgid at /usr/local/bin/buckd line 277, line 1. Here were the changes to get things working: --- buckd.orig Sat Jun 30 09:27:18 2007 +++ buckd Sat Jun 30 09:25:27 2007 @@ -1,4 +1,4 @@ -#!/usr/bin/perl -s +#!/usr/bin/perl ##################################################################### # Bucktooth 0.2.1 (c)1999, 2001-2006 Cameron Kaiser # @@ -65,6 +65,18 @@ exit; } ($request, $dinfo) = split(/\?/, $orq, 2); + if ($dinfo =~ /^([ -\@\w.]+)$/) { + $dinfo = $1; + } elsif($dinfo) { + &log("Bad data in \$dinfo: '$dinfo'"); + exit; + } + if ($request =~ /^([\/-\@\w.]+)$/) { + $request = $1; + } elsif($request) { + &log("Bad data in \$request: '$request'"); + exit; + } $request =~ s/%([a-fA-F0-9]{2})/pack("H2", $1)/eg; # $request must be absolute ... @@ -258,6 +270,7 @@ $ENV{'SERVER_PORT'} = $MYPORT; $ENV{'SELECTOR'} = $orq; $ENV{'GPLUS'} = $gplus; + $ENV{'PATH'} = $DIR; &fixgplus; &log("\"$orq\" ${gplus}[200 \"$locator\" \"$dinfo\" executed]"); $ENV{'REQUEST'} = $request;