From: Andrei Borzenkov <arvidjaar@gmail.com> Date: Wed, 26 Jun 2024 07:45:47 +0300 On 26.06.2024 00:46, Curtis J Blank wrote:
Here's the PATH and each of directories in the PATH's permissions. I wonder if it choking on the permissions of the links?
No. It is not about the content of the $PATH, but about the fact that it is imported from the external environment. bor@tw:~> PATH=/usr/bin perl -Te 'use Net::Domain; $foo = `domainname`' Insecure $ENV{PATH} while running with -T switch at -e line 1. bor@tw:~> perl -Te 'use Net::Domain; $ENV{PATH}="/usr/bin"; $foo = `domainname`' bor@tw:~> That's a different error. The original error is Insecure directory in $ENV{PATH} while running with -T switch ... I can reproduce that as follows: rogers@orion> perl -Te 'use Net::Domain; $ENV{PATH}="/usr/bin:."; $foo = `domainname`' Insecure directory in $ENV{PATH} while running with -T switch at -e line 1. rogers@orion> This is just your second Perl one-liner with "." added to the untainted $ENV{PATH}. Here's the entire description of the error message from "man perldiag" on my system: Insecure directory in %s (F) You can't use system(), exec(), or a piped open in a setuid or setgid script if $ENV{PATH} contains a directory that is writable by the world. Also, the PATH must not contain any relative directory. See perlsec. So the original error is about the value itself, rather than the source. It's still a mystery why Curtis saw this error in the amavisd context, but that's now academic (and, as I've said, I think it's a bug in Net::Domain that it calls domainname at all). -- Bob