On Thu, May 27, 2010 at 9:46 PM, Yang Zhang <yanghatespam / gmail.com> wrote:
> When running rake from a suid binary:
>
> #include <stdlib.h>
> int main() {
> =A0return system("rake -f /usr/share/redmine/Rakefile
> redmine:fetch_changesets RAILS_ENV=3Dproduction");
> }
>
> I'm getting "Insecure operation - chdir":
>
> $ ./update-redmine
> rake aborted!
> Insecure operation - chdir
> /usr/lib/ruby/1.8/rake.rb:2364:in `chdir'
> (See full trace by running task with --trace)
>
> When I added --trace to the command, I get:
>
> $ ./update-redmine
> rake aborted!
> Insecure operation - chdir
> /usr/lib/ruby/1.8/rake.rb:2364:in `chdir'
> /usr/lib/ruby/1.8/rake.rb:2364:in `find_rakefile_location'
> /usr/lib/ruby/1.8/rake.rb:2368:in `raw_load_rakefile'
> /usr/lib/ruby/1.8/rake.rb:2017:in `load_rakefile'
> /usr/lib/ruby/1.8/rake.rb:2068:in `standard_exception_handling'
> /usr/lib/ruby/1.8/rake.rb:2016:in `load_rakefile'
> /usr/lib/ruby/1.8/rake.rb:2000:in `run'
> /usr/lib/ruby/1.8/rake.rb:2068:in `standard_exception_handling'
> /usr/lib/ruby/1.8/rake.rb:1998:in `run'
> /usr/bin/rake:28
>
> Anybody know what's up with this? Also, is this totally unsafe? I
> don't know how safe a program rake is (e.g., can one set env vars to
> get it to do arbitrary actions?). Not actually putting this into
> deployment on anything but my own box, but would just be good for me
> to know, and I'm mostly curious about my original question. Thanks in
> advance for any answers.
> --
> Yang Zhang
> http://yz.mit.edu/
>
>


To add to the confusion, the rake task runs fine from root's crontab.
I found some information on taint and $SAFE, but it's unclear to me
why things work via cron but not via a suid binary.


--=20
Yang Zhang
http://yz.mit.edu/