[英]Why does @INC change when setgid-bit of C wrapper around perl script change?
This is all on RHEL6 这完全在RHEL6上
I am trying to run a perl script as a specific user (owner of the perl script) by wrapping it inside a C binary and then setting the setgid bit of the binary (ref: https://superuser.com/questions/440363/can-i-make-a-script-always-execute-as-root ). 我试图通过将其包装在C二进制文件中然后设置二进制文件的setgid位来作为特定用户(perl脚本的所有者)运行perl脚本(参考: https : //superuser.com/questions/440363/ can-i-make-a-script-always-execute-as-root )。 The perl script uses various perl modules.
perl脚本使用各种perl模块。 If the perl modules are in PERL5LIB of the account trying to run the C binary, and the setgid-bit is NOT set on the C binary, it runs fine.
如果perl模块在试图运行C二进制文件的帐户的PERL5LIB中,并且未在C二进制文件上设置setgid-bit,则它运行正常。 If the setgid-bit IS set, then it fails because the used perl modules are not in @INC.
如果设置了setgid-bit,那么它会失败,因为使用的perl模块不在@INC中。
Some code to demo how @INC changes with the sticky bit... 一些代码用于演示@INC如何随粘性位改变...
the.pl the.pl
#!/usr/bin/env perl
print "Size of INC: ".scalar(@INC)."\n";
exit;
wrapper.c wrapper.c
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
exit(execvp("/home/me/the.pl",(char **)argv));
}
The perl script permissions are -rwxrwxr-x perl脚本权限是-rwxrwxr-x
When I set the wrapper's permissions to -rwxr-xr-x (note the setgid bit is not set), then run the binary from some other account, I get... 当我将包装器的权限设置为-rwxr-xr-x时(注意未设置setgid位),然后从其他帐户运行二进制文件,我得到...
Size of INC = 87
...which is what I would expect (there are 87 elements in PERL5LIB). ...这是我所期望的(PERL5LIB中有87个元素)。
But when I set the wrapper's permissions to -rwxr-sr-x (note the setgid bit is set), then run the binary from some other account, I get... 但是当我将包装器的权限设置为-rwxr-sr-x时(注意setgid位已设置),然后从其他帐户运行二进制文件,我得到...
Size of INC = 4
I get the same results even if I load PERL5LIB with all 87 elements in the .cshrc of both the perl script's owner and that of the account that's running the wrapper. 即使我在perl脚本的所有者和运行包装器的帐户的.cshrc中加载了所有87个元素的PERL5LIB,我也会得到相同的结果。
I need to run the binary as the owner of the perl script because that account has a priv that the user's accounts don't have. 我需要将二进制文件作为perl脚本的所有者运行,因为该帐户具有用户帐户所没有的priv。 The root user is not a player in any of this.
root用户不是任何一个玩家。
Why am I losing those PERL5LIB elements? 为什么我会丢失这些PERL5LIB元素? Is there a way I can get around this ?
有没有办法解决这个问题?
Thanks in Advance! 提前致谢!
A setuid perl script is run in taint mode, and perlsec says: setuid perl脚本以污点模式运行, perlsec说:
When the taint mode ("
-T
") is in effect, the ".
" directory is removed from@INC
, and the environment variables "PERL5LIB
" and "PERLLIB
" are ignored by Perl .当污点模式(“
-T
”)生效时, “.
”目录将从@INC
删除,Perl将忽略环境变量“PERL5LIB
”和“PERLLIB
” 。 You can still adjust@INC
from outside the program by using the "-I
" command line option as explained inperlrun
.您仍然可以使用“
-I
”命令行选项从程序外部调整@INC
,如perlrun
。 The two environment variables are ignored because they are obscured, and a user running a program could be unaware that they are set, whereas the "-I
" option is clearly visible and therefore permitted.这两个环境变量被忽略,因为它们被遮挡,运行程序的用户可能不知道它们被设置,而“
-I
”选项清晰可见,因此被允许。
If you cannot adjust @INC
inside the program (say, with use lib ...
), you will want to rewrite your C program to call the perl
executable instead of your script name, and to prepend argv
with your script name and any appropriate -I...
arguments that you want to use. 如果您无法在程序中调整
@INC
(例如, use lib ...
),您将需要重写您的C程序以调用perl
可执行文件而不是您的脚本名称,并使用您的脚本名称和任何适当的前缀argv
-I...
您想要使用的参数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.