当围绕perl脚本的C包装程序的setgid位发生更改时,为什么@INC会发生变化? [英] Why does @INC change when setgid-bit of C wrapper around perl script change?
问题描述
这一切都在RHEL6上
This is all on RHEL6
我正在尝试通过将特定的用户(perl脚本的所有者)包装在C二进制文件中,然后设置二进制文件的setgid位来运行perl脚本(参考:https://superuser.com/questions/440363/can-i-make-a-script-always -execute-as-root ). perl脚本使用各种perl模块.如果perl模块位于尝试运行C二进制文件的帐户的PERL5LIB中,并且未在C二进制文件上设置setgid位,则它运行良好.如果设置了setgid位,则失败,因为使用的perl模块不在@INC中.
I am trying to run a perl script as a specific user (owner of the perl script) by wrapping it inside a C binary and then setting the setgid bit of the binary (ref: https://superuser.com/questions/440363/can-i-make-a-script-always-execute-as-root). The perl script uses various perl modules. If the perl modules are in PERL5LIB of the account trying to run the C binary, and the setgid-bit is NOT set on the C binary, it runs fine. If the setgid-bit IS set, then it fails because the used perl modules are not in @INC.
一些代码演示@INC如何随粘性变化...
Some code to demo how @INC changes with the sticky bit...
the.pl
#!/usr/bin/env perl
print "Size of INC: ".scalar(@INC)."\n";
exit;
wrapper.c
wrapper.c
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
exit(execvp("/home/me/the.pl",(char **)argv));
}
perl脚本权限为-rwxrwxr-x
The perl script permissions are -rwxrwxr-x
当我将包装程序的权限设置为-rwxr-xr-x(注意未设置setgid位),然后从其他帐户运行二进制文件时,我得到...
When I set the wrapper's permissions to -rwxr-xr-x (note the setgid bit is not set), then run the binary from some other account, I get...
Size of INC = 87
...这就是我所期望的(PERL5LIB中有87个元素).
...which is what I would expect (there are 87 elements in PERL5LIB).
但是当我将包装程序的权限设置为-rwxr-sr-x(注意setgid位已设置),然后从其他帐户运行二进制文件时,我得到...
But when I set the wrapper's permissions to -rwxr-sr-x (note the setgid bit is set), then run the binary from some other account, I get...
Size of INC = 4
即使我将perl脚本所有者和运行包装程序的帐户的.cshrc中的所有87个元素加载到PERL5LIB中,我也得到相同的结果.
I get the same results even if I load PERL5LIB with all 87 elements in the .cshrc of both the perl script's owner and that of the account that's running the wrapper.
我需要以perl脚本的所有者身份运行二进制文件,因为该帐户具有用户帐户所没有的特权.根用户不是这方面的参与者.
I need to run the binary as the owner of the perl script because that account has a priv that the user's accounts don't have. The root user is not a player in any of this.
为什么我会丢失那些PERL5LIB元素? 我有办法解决这个问题吗?
Why am I losing those PERL5LIB elements? Is there a way I can get around this ?
预先感谢!
推荐答案
A setuid perl script is run in taint mode, and perlsec says:
启用异味模式("
-T")时,将删除"."目录 从@INC开始,环境变量"PERL5LIB"和"PERLLIB"是 被Perl忽略.您仍然可以通过以下方式从程序外部调整@INC使用perlrun中说明的"-I"命令行选项.他们俩 环境变量被忽略,因为它们被模糊了,并且用户 运行程序可能不知道已设置它们,而"-I" 该选项清晰可见,因此可以使用.
When the taint mode ("
-T") is in effect, the "." directory is removed from@INC, and the environment variables "PERL5LIB" and "PERLLIB" are ignored by Perl. You can still adjust@INCfrom outside the program by using the "-I" command line option as explained inperlrun. The two environment variables are ignored because they are obscured, and a user running a program could be unaware that they are set, whereas the "-I" option is clearly visible and therefore permitted.
如果无法在程序内部调整@INC(例如,使用use lib ...),则需要重写C程序以调用perl可执行文件而不是脚本名称,并在argv前面加上您的脚本名称以及您要使用的任何适当的-I...自变量.
If you cannot adjust @INC inside the program (say, with use lib ...), you will want to rewrite your C program to call the perl executable instead of your script name, and to prepend argv with your script name and any appropriate -I... arguments that you want to use.
这篇关于当围绕perl脚本的C包装程序的setgid位发生更改时,为什么@INC会发生变化?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
