[Date Index][Thread Index]
[Date Prev][Date Next][Thread Prev][Thread Next]

Re: May I run wml from a setuid program? (It seems not)

On Tue, 28 Sep 1999, Stephane Bortzmeyer wrote:

> On Friday 17 September 1999, at 22 h 12, the keyboard of Denis Barbier 
> <barbier@imacs.polytechnique.fr> wrote:
> > this feature is well documented in wml_p2_eperl(1) in the Security
> > section.
> You mean I should actually READ the documentation? What a stupid software!
> And, sorry, but I fail to see the relevant text. I don't use ePerl it as a 
> CGI. Could you be more precise?

No, i was fully wrong. 
Another try? From the perlsec manpage:
       Cleaning Up Your Path

       For "Insecure $ENV{PATH}" messages, you need to set
       $ENV{'PATH'} to a known value, and each directory in the
       path must be non-writable by others than its owner and
       group.  You may be surprised to get this message even if
       the pathname to your executable is fully qualified.

You have to define $ENV{PATH} _inside_ your Perl scripts.
So copy wml to wml-safe and define $ENV{PATH} in wml-safe.

Denis Barbier
WML Maintainer

Website META Language (WML)                www.engelschall.com/sw/wml/
Official Support Mailing List                   sw-wml@engelschall.com
Automated List Manager                       majordomo@engelschall.com