Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ccm warning about Insecure $ENV{ENV} #201

Open
ned21 opened this issue Jul 3, 2019 · 8 comments
Open

ccm warning about Insecure $ENV{ENV} #201

ned21 opened this issue Jul 3, 2019 · 8 comments

Comments

@ned21
Copy link
Contributor

ned21 commented Jul 3, 2019

$ ccm --version
Insecure $ENV{ENV} while running with -T switch at /usr/lib/perl/LC/Process.pm line 475.
This is ccm version 18.3.0
$ ccm /system/personality/host_environment 2>/dev/null
Insecure $ENV{ENV} while running with -T switch at /usr/lib/perl/LC/Process.pm line 475.
$ host_environment : 'dev'

This makes it difficult to use ccm in scripts. Looking at the ccm code, it looks like we sanitise $PATH so I'm not sure what's happening here - do we need to clear the environment entirely?

27 # minimal Path
28 $ENV{PATH} = join(":", qw(/bin /usr/bin /sbin /usr/sbin));
@stdweird
Copy link
Member

stdweird commented Jul 3, 2019

@ned21 perl version? what OS and what exact package version?

@ned21
Copy link
Contributor Author

ned21 commented Jul 3, 2019

$ /usr/bin/perl -v

This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi
(with 39 registered patches, see perl -V for more detail)

$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.6 (Maipo)

$ rpm -q ccm perl-LC
ccm-18.3.0-1.noarch
perl-LC-18.3.0-1.noarch

@stdweird
Copy link
Member

stdweird commented Jul 3, 2019 

[stdweird@node2001 ~]$ cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 
[stdweird@node2001 ~]$ rpm -q perl
perl-5.16.3-294.el7_6.x86_64
[stdweird@node2001 ~]$ ccm --version
This is ccm version 18.12.0-rc1-SNAPSHOT
[stdweird@node2001 ~]$ rpm -q ccm
ccm-18.12.0-rc1_SNAPSHOT20190227112144.noarch
[stdweird@node2001 ~]$ rpm -q perl-LC
perl-LC-18.3.0-1.noarch

@stdweird
Copy link
Member

stdweird commented Jul 3, 2019

@ned21 any chance you can try more recent ccm?

@gombasg
Copy link
Contributor

gombasg commented Jul 3, 2019

From man perlsec:

Because some shells may use the variables IFS, CDPATH, ENV, and BASH_ENV, Perl checks that those are either empty or untainted when starting subprocesses. You may wish to add something like this to your setid and taint-checking scripts.

  delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};   # Make %ENV safer

Our standard profile setup does utilize $ENV.

@gombasg
Copy link
Contributor

gombasg commented Jul 3, 2019

... the only question is, should that be done in all Quattor utilities, or should it be done unconditionally in LC::Process.

@gombasg
Copy link
Contributor

gombasg commented Jul 3, 2019

Hmm, LC::Secure::environment() has this code already...

@stdweird
Copy link
Member

stdweird commented Jul 3, 2019

@gombasg yep, that's it

[stdweird@node2001 ~]$ ENV=1 ccm --version
Insecure $ENV{ENV} while running with -T switch at /usr/lib/perl/LC/Process.pm line 475.
This is ccm version 18.12.0-rc1-SNAPSHOT

quick hack:

[stdweird@node2001 ~]$ export ENV=1
[stdweird@node2001 ~]$ env -u ENV ccm --version
This is ccm version 18.12.0-rc1-SNAPSHOT

i'd rather not touch LC, and we already do some ENV sanitisation in other places. we should do a better job imho

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ned21 @stdweird @gombasg