Using 'crypt' command in perl script giving Insecure depedency warning and error.

R

Ravi Bhave

Hi,
I have a perl script which is used to log on to a server using
username and encrypted password file and key file. The script runs
FINE when I execute it on command line passing all parameters. It gets
the file without any errors or warnings.

BUT when my program(C++ program) calls the same script(ftp_get) and
passes the required parameters it does not work. It fails at line
where 'crypt' is used and gives me error: 'Insecure depedency
in''while running setgid at ftp_get (script shown at the end) at line
21, <INF> line 1.

Please help me in fixing this error.
Any help is greatly apreciated.

Thanks in advance.
Ravi

The encrypted password file is created using 'crypt' command on Sun
solaris server. The password encrypted file is created by using
following shell script(set_ibm_password), which uses keyfile($PWCKEY).
-------------------------------------------------
#! /bin/sh
# Read in the crypt seed key:
.. ibmpwckey
PWC_File=ibmpwc
echo "Enter FTP User name for IBM ? \c"
read IBM_User
echo "Enter FTP Password ? \c"
stty -echo
read IBM_password
stty echo
echo ""
echo $IBM_password | crypt $PWCKEY > $PWC_File
--------------------------------------------------------

My perl script which uses the file created by above file is as follows

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#! /usr/local/bin/perl -w
# Load the required libraries.
use Net::FTP;
$Usage="Usage: ftp_get remote_host login_name local_file remote_file
PasswdFile PasswdKeyFile";
# Get the parameters.
my( $host ) = shift || die $Usage;
my( $login ) = shift || die $Usage;
my( $local_file ) = shift || die $Usage;
my( $remote_file ) = shift || die $Usage;
my( $SeedFile ) = shift || die $Usage;
my( $PWC_File ) = shift || die $Usage;
my( $PWCKEY );
my( $PW );
open INF, $SeedFile;
while ( $Line = <INF> ) {
chomp $Line;
( $Name, $PWCKEY ) = split /=/, $Line;
if ( $Name eq "PWCKEY" ) {
break;
}
}
line 21: $PW=`crypt $PWCKEY < $PWC_File`;
chomp $PW;
print "PASSWD $PW \n";
my( $ftp ) = Net::FTP->new( $host );
$ftp->login( $login, $PW );
print "local file = $local_file Remote_file = $remote_file \n";
$ftp->get( $local_file, $remote_file )
or die "Can not get file \n";
$ftp->quit();
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
J

James Willmore

On 28 Oct 2003 18:59:33 -0800
Hi,
I have a perl script which is used to log on to a server using
username and encrypted password file and key file. The script runs
FINE when I execute it on command line passing all parameters. It
gets the file without any errors or warnings.

BUT when my program(C++ program) calls the same script(ftp_get) and
passes the required parameters it does not work. It fails at line
where 'crypt' is used and gives me error: 'Insecure depedency
in''while running setgid at ftp_get (script shown at the end) at
line 21, <INF> line 1.

Please help me in fixing this error.
Any help is greatly apreciated.
Click to expand...
<snip>

When this error occurs, it's normally a path issue. Try setting your
path ($ENV{PATH}) in the perl script.

Also - watch out for running Perl scripts setuid. You may want to use
the '-T' option to enable taint checking.

And, you _may_ have to write a small C wrapper to run the script
properly - but you may be able to get away with running the script
with the above suggestions.

Read perlsec (type 'perldoc perlsec' at the command line) for more
information.


HTH

--
Jim

Copyright notice: all code written by the author in this post is
released under the GPL. http://www.gnu.org/licenses/gpl.txt
for more information.

a fortune quote ...
The intelligence of any discussion diminishes with the square of
the number of participants. -- Adam Walinsky
 
T

Tad McClellan

Ravi Bhave said:
I have a perl script which is used to log on to a server using
username and encrypted password file and key file. The script runs
FINE when I execute it on command line

BUT when my program(C++ program) calls the same script(ftp_get) and
passes the required parameters it does not work.
Click to expand...


It looks like your C++ program is calling perl setgid, while
at the command line it was running as you.

Perl will automatically turn on "taint checking" under those
circumstances. See perlsec.pod.

It fails at line
where 'crypt' is used and gives me error: 'Insecure depedency
in''while running setgid at ftp_get (script shown at the end) at line
21, <INF> line 1.
Click to expand...


All of the messages that perl might issue are documented in

perldoc perldiag

For your message it says:

Insecure $ENV{%s} while running %s
(F) You can't use system(), exec(), or a piped open in
a setuid or setgid script if any of $ENV{PATH},
$ENV{IFS}, $ENV{CDPATH}, $ENV{ENV} or $ENV{BASH_ENV}
are derived from data supplied (or potentially sup­
plied) by the user. The script must set the path to a
known value, using trustworthy data. See perlsec.

Please help me in fixing this error.
Click to expand...


You are trying to do something potentially dangerous, and perl
wants some convincing that that is really what you want to do.

Any help is greatly apreciated.
Click to expand...


perldoc perlsec


and try hard-coding the env vars above in your Perl program.

# Get the parameters.
my( $host ) = shift || die $Usage;
my( $login ) = shift || die $Usage;
my( $local_file ) = shift || die $Usage;
my( $remote_file ) = shift || die $Usage;
my( $SeedFile ) = shift || die $Usage;
my( $PWC_File ) = shift || die $Usage;
Click to expand...


Doesn't have anything to do with your problem, but I'd replace
all of that with:

# untested
die $Usage unless @ARGV == 6;
my($host, $login, $local_file, $remote_file, $Seedfile, $PWC_File) = @ARGV;

open INF, $SeedFile;
Click to expand...


You should always, yes *always*, check the return value from open():

open INF, $SeedFile or die "could not open '$SeedFile' $!";
 
R

Ravi Bhave

Hi,
I have a perl script which is used to log on to a server using
username and encrypted password file and key file. The script runs
FINE when I execute it on command line passing all parameters. It gets
the file without any errors or warnings.

BUT when my program(C++ program) calls the same script(ftp_get) and
passes the required parameters it does not work. It fails at line
where 'crypt' is used and gives me error: 'Insecure depedency
in''while running setgid at ftp_get (script shown at the end) at line
21, <INF> line 1.

Please help me in fixing this error.
Any help is greatly apreciated.

Thanks in advance.
Ravi

The encrypted password file is created using 'crypt' command on Sun
solaris server. The password encrypted file is created by using
following shell script(set_ibm_password), which uses keyfile($PWCKEY).
-------------------------------------------------
#! /bin/sh
# Read in the crypt seed key:
. ibmpwckey
PWC_File=ibmpwc
echo "Enter FTP User name for IBM ? \c"
read IBM_User
echo "Enter FTP Password ? \c"
stty -echo
read IBM_password
stty echo
echo ""
echo $IBM_password | crypt $PWCKEY > $PWC_File
--------------------------------------------------------

My perl script which uses the file created by above file is as follows

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#! /usr/local/bin/perl -w
# Load the required libraries.
use Net::FTP;
$Usage="Usage: ftp_get remote_host login_name local_file remote_file
PasswdFile PasswdKeyFile";
# Get the parameters.
my( $host ) = shift || die $Usage;
my( $login ) = shift || die $Usage;
my( $local_file ) = shift || die $Usage;
my( $remote_file ) = shift || die $Usage;
my( $SeedFile ) = shift || die $Usage;
my( $PWC_File ) = shift || die $Usage;
my( $PWCKEY );
my( $PW );
open INF, $SeedFile;
while ( $Line = <INF> ) {
chomp $Line;
( $Name, $PWCKEY ) = split /=/, $Line;
if ( $Name eq "PWCKEY" ) {
break;
}
}
line 21: $PW=`crypt $PWCKEY < $PWC_File`;
chomp $PW;
print "PASSWD $PW \n";
my( $ftp ) = Net::FTP->new( $host );
$ftp->login( $login, $PW );
print "local file = $local_file Remote_file = $remote_file \n";
$ftp->get( $local_file, $remote_file )
or die "Can not get file \n";
$ftp->quit();
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Click to expand...


Thanks a lot guys. It was perfect. After environment setup done
correctly, it is working OK.
Always learning something new, there is no break in perl!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

En/Decrypt Mismatch: Command-Line Tool vs. Crypt::OpenSSL::RSA 1
setting path in command window using perl 1
what happened with this error? 0
Making Perl Crypt::CBC work with PHP mcrypt_cbc() 1
Crypt::OpenPGP problem 1
'Undifined commands' on FTP Server, when using FTP 'put' and 'quit' in Client 1
First Commercial Perl Program 30
command for script 3

Members online

Total: 54 (members: 1, guests: 53)
Robots: 253

Forum statistics

Threads
473,994
Messages
2,570,223
Members
46,813
Latest member
lawrwtwinkle111

Latest Threads

Top