我正在使用此代码,当我从 root 运行它时,它工作正常,但是当我设置 root 权限时,它会抛出一个错误,提示“线路系统“perl $qtool -d $mqueue_directory*$queue_id”不安全的 $ENV{PATH};”
我的脚本位于路径/scripts/deferred.pl
#!/usr/bin/perl
use strict;
my $qtool = "/usr/local/bin/qtool.pl";
my $mqueue_directory = "/var/spool/mqueue";
my $messages_removed = 0;
my @rf_id;
my @date;
my $temp
my @write_array;
my $to;
my $from;
use Untaint;
use File::Find;
# Recursively find all files and directories in $mqueue_directory
use Untaint;
find(\&wanted, $mqueue_directory);
sub wanted {
# Is this a qf* file?
if ( /^qf(\w{14})/ ) {
my $qf_file = $_;
my $queue_id = $1;
my $deferred = 0;
my $from_postmaster = 0;
my $delivery_failure = 0;
my $junk_mail = 0;
open (QF_FILE, $_);
while(<QF_FILE>) {
$deferred = 1 if ( /^MTemporarily/ | /^Mhost map: lookup/ | /^MUser unknown/ );
$delivery_failure = 1 if \
( /^H\?\?Subject: DELIVERY FAILURE: (User|Recipient)/ );
if ( $deferred && $from_postmaster && $delivery_failure ) {
$junk_mail = 1;
}
$temp=$qf_file.':';
if($junk_mail){
while(<QF_FILE>){
chomp;
if(/rRFC822;/){
$temp.=subdtr($_,9)
}
if(/H?D?Date:/){
$temp.=':'.substr($_,10);
push @write_array, $temp."\n";
}
}
}
}
close (QF_FILE);
my $subqueue_id = substr($queue_id,9);
if ($junk_mail) {
print "Removing $queue_id...\n";
system "perl $qtool -d $mqueue_directory*$queue_id";
$messages_removed++;
}
}
}
open (MYFILE,">/scripts/mail.txt");
print MYFILE "@write_array";
close (MYFILE);
$to='yagya@mydomain.in';
$from='system@mydomain.in';
$subject='deleted mails';
open(MAIL,"|/usr/sbin/sendmail -t");
print MAIL "To: $to\n";
print MAIL "From: $from\n";
print MAIL "Subject: $subject\n\n";
print MAIL "@write_array\n";
close(MAIL);
print "\n$messages_removed total \"double bounce\" message(s) removed from ";
print "mail queue.\n";
最佳答案
Setuid 程序自动在污点模式下运行。这一切都在perlsec中有解释。 ,包括错误消息中的文本。通常,如果您将错误消息粘贴到搜索引擎中,您很快就会找到解决办法。您可能还会看到Insecure $ENV{ENV} while running with -T switch .
关于linux - setuid 处的不安全 ENV 变量,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/10545185/