Bug#521584: perl-suid: -U no longer behaves as expected to allow insecure operations

[Niko Tyni]

On Sun, Mar 29, 2009 at 04:50:35PM -0400, Adam Kessel wrote:
> Niko Tyni wrote, on 3/29/2009 2:50 PM:
> > Are you sure these really are fatal errors with -U? See below.
> 
> The problem seems to be only when the script is called from apache 
> (2.2), so I wonder if that is the problem. When I run it from the shell, 
> it behaves as expected. When it is called via CGI, it dies where you 
> would expect just a warning.
> 
> Is this perhaps a bug in apache2.2, or alternatively just a difference 
> in how perl scripts are handled in apache2.2?

It works for me with 2.2.11-2 and this:

 #!/usr/bin/perl -U
 use CGI;
 use CGI::Carp qw(fatalsToBrowser);
 my $q = new CGI;
 print $q->header;
 my $mod = $q->param("module") || "unspecified.pm";
 require $mod or die("require $mod failed: $!");
 print "Successfully loaded $mod as uid $>!\n";

-rwsr-xr-x 1 root root 245 2009-03-31 21:53 r.cgi

in a ScriptAlias directory with Options +ExecCGI.

I don't see anything wrong with perl here, please let me know what
to do with this bug.
-- 
Niko Tyni   ntyni at debian.org