Yet another tale from trying to run a Perl script with the setuid bit turned on. See my earlier post on fixing “Can’t do setuid (cannot exec sperl)” for details about why running perl scripts with setuid bits is a special case.

I tried to run my script and I got the following message:

[user@server ~]$ run-script
Insecure $ENV{PATH} while running setuid at ~/run-script line 4.

The basic idea that this message is trying to get across is that an environment variable that is being used may contain data that could open up an attack vector. The way to fix this is by setting the variable to a set of defaults that don’t come from the user and thus are less susceptible to being manipulated by someone in order to break the security of the system.

In this case, my script executed a program on the shell. Since shell interpretation comes into play, the $PATH variable is looked at to decide where the program could be located. This is an attack vector as someone could just change that variable to cause their own code to be called, thus escalating their code’s privileges without your knowledge.

In order to avoid this, I set the $PATH variable to a restricted set for use in the script by adding the following in the script before my shell call:

$ENV{"PATH"} = "/usr/bin";

This may need to be modified to meet your specific needs. In addition to making this change, I went ahead and changed the call to the shell program to be an absolute reference to the program in order to further mitigate any potential issue, such as aliases.