Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!mcsun!ukc!edcastle!scott
From: scott@castle.ed.ac.uk (Scott Larnach)
Newsgroups: comp.lang.perl
Subject: Re: I get "Insecure PATH" when I run commands from emacs...
Message-ID: <11178@castle.ed.ac.uk>
Date: 19 Jun 91 12:47:18 GMT
References: <CHETAL.91Jun16170012@penguin.pyramid.com> <1991Jun17.011615.13952@convex.com> <CHETAL.91Jun17094623@penguin.pyramid.com> <1991Jun17.191832.15997@convex.com>
Distribution: comp.lang.perl
Organization: Edinburgh University
Lines: 25

I got this error from a perl script I wrote yesterday as glue between
inews and (a slightly hacked version of) Rich $alz's news->mail code.
It's tickled presumably because it's called (via the sys file) from
inews, which is setuid news & setgid news.  It complained about the
following line:

  $status = system "./news2mail $listname $listaddr $sender $domain";

All four variables are derived from static data from within the script,
and none contain shell metacharacters. The "./" is taken care of by doing
a

  chdir($libdir) || die "Can't chdir($libdir): $!\n";

To my mind, this seems secure enough. I made the complaint go away by

  $< = $>;
  $( = $);

i.e. setting real uid and gid to news. Does anyone see any problems
with doing this?

Scott
-- 
this is not a signature