[Samba] selftest: Perl error "Insecure $ENV{ENV} while running setgid at /home/user/src/samba-git/samba/source3/script/tests/printing/modprinter.pl line 138."

Manfred mx2927 at gmail.com
Fri Apr 19 14:46:45 UTC 2019


In my environment the selftest for samba3.rpc.spoolss.printer was 
failing at source3/script/tests/printing/modprinter.pl(138)

with the Perl error in subject:
Insecure $ENV{ENV} while running setgid at 
/home/user/src/samba-git/samba/source3/script/tests/printing/modprinter.pl 
line 138

code is:
==============================
delete @ENV{'BASH_ENV'};

$ENV{'PATH'} = '/bin:/usr/bin'; # untaint PATH
system("cp", "$tmp", "$smb_conf_file"); <== FAILING HERE
unlink $tmp;
==============================

the solution is, in addition to untainting $PATH:
==============================
# the following is according to:
# https://perldoc.perl.org/perlsec.html#Cleaning-Up-Your-Path
delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; # Make %ENV safer
# delete @ENV{'BASH_ENV'};

$ENV{'PATH'} = '/bin:/usr/bin'; # untaint PATH
system("cp", "$tmp", "$smb_conf_file"); <== FAILING HERE
unlink $tmp;
==============================

Although this appears to happen on my environment, and not in the build 
farm, according to Perl doc would it look like a candidate for 
consideration?



More information about the samba mailing list