Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!elroy.jpl.nasa.gov!jpl-devvax!lwall
From: lwall@jpl-devvax.jpl.nasa.gov (Larry Wall)
Newsgroups: comp.lang.perl
Subject: Re: I get "Insecure PATH" when I run commands from emacs...
Message-ID: <1991Jun20.040503.22503@jpl-devvax.jpl.nasa.gov>
Date: 20 Jun 91 04:05:03 GMT
References: <CHETAL.91Jun16170012@penguin.pyramid.com> <1991Jun17.011615.13952@convex.com> <CHETAL.91Jun17094623@penguin.pyramid.com> <1991Jun17.191832.15997@convex.com> <11178@castle.ed.ac.uk>
Reply-To: lwall@netlabs.com (Larry Wall)
Distribution: comp.lang.perl
Organization: Jet Propulsion Laboratory, Pasadena, CA
Lines: 35

In article <11178@castle.ed.ac.uk> scott@castle.ed.ac.uk (Scott Larnach) writes:
: I got this error from a perl script I wrote yesterday as glue between
: inews and (a slightly hacked version of) Rich $alz's news->mail code.
: It's tickled presumably because it's called (via the sys file) from
: inews, which is setuid news & setgid news.  It complained about the
: following line:
: 
:   $status = system "./news2mail $listname $listaddr $sender $domain";
: 
: All four variables are derived from static data from within the script,
: and none contain shell metacharacters. The "./" is taken care of by doing
: a
: 
:   chdir($libdir) || die "Can't chdir($libdir): $!\n";
: 
: To my mind, this seems secure enough. I made the complaint go away by
: 
:   $< = $>;
:   $( = $);
: 
: i.e. setting real uid and gid to news. Does anyone see any problems
: with doing this?

It's better to suppress the message by setting $ENV{PATH} to a known value.
Perl has no way of knowing whether news2mail is a shell script that
depends on PATH in an insecure fashion.

If you know that news2mail is secure, another way to bypass the check would
be to say

    $status = system "./news2mail", $listname, $listaddr, $sender, $domain;

It's still safer to set the path, though.

Larry