[30433] in Perl-Users-Digest
Perl-Users Digest, Issue: 1676 Volume: 11
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Fri Jun 27 18:09:46 2008
Date: Fri, 27 Jun 2008 15:09:07 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Fri, 27 Jun 2008 Volume: 11 Number: 1676
Today's topics:
Re: 'nobody' using sudo -- scary! <RedGrittyBrick@SpamWeary.foo>
Re: 'nobody' using sudo -- scary! <tzz@lifelogs.com>
Re: 'nobody' using sudo -- scary! <No_4@dsl.pipex.com>
accuracy of Time::HiRes <john1949@yahoo.com>
Re: accuracy of Time::HiRes <anonymous@cow.ard>
Re: How to ensure I'm doing lwp with https correctly? PugetSoundSylvia@gmail.com
Re: Simplest way (or module) to tweak query in CGI serv <noreply@gunnar.cc>
Re: Simplest way (or module) to tweak query in CGI serv jerrykrinock@gmail.com
Re: Simplest way (or module) to tweak query in CGI serv xhoster@gmail.com
Template Toolkit and USE <ronnyma@math.uio.no>
Re: Template Toolkit and USE <ben@morrow.me.uk>
Re: Template Toolkit and USE <ronnyma@math.uio.no>
Re: Template Toolkit and USE <ben@morrow.me.uk>
Using System to read mixed cased environment variables <lamthierry@gmail.com>
Re: Using System to read mixed cased environment variab <rkb@i.frys.com>
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Fri, 27 Jun 2008 12:24:24 +0100
From: RedGrittyBrick <RedGrittyBrick@SpamWeary.foo>
Subject: Re: 'nobody' using sudo -- scary!
Message-Id: <4864cde8$0$26089$db0fefd9@news.zen.co.uk>
Ben Morrow wrote:
> Quoth Johnny <schafer.dave@gmail.com>:
>> Given a perl based web application, running as 'nobody' with a need to
>> execute some privileged command, what approach is recommended?
>
> Stick the details of what to do in a file somewhere, and run a program
> out of root's crontab to check the list and perform the commands.
> *Obviously* you will need extremely careful checking of the contents of
> that list; you will want to write the root command in Perl, and use
> taint mode.
>
That is a nice solution.
A further refinement might be to create a FIFO instead of a file. and
have a root daemon reading the FIFO. That way there'd be no lag between
requesting the change and the change being performed.
man mkfifo
The daemon could be a Perl script started in the usual way at boot-time
(rc files etc).
Ben is right about the need to very very carefully check and sanitise
the input. I'd consider some sort of throttling to ameliorate any DOS
attacks.
--
RGB
------------------------------
Date: Fri, 27 Jun 2008 11:19:27 -0500
From: Ted Zlatanov <tzz@lifelogs.com>
Subject: Re: 'nobody' using sudo -- scary!
Message-Id: <86bq1m4zqo.fsf@lifelogs.com>
On Thu, 26 Jun 2008 17:41:02 +0100 RedGrittyBrick <RedGrittyBrick@SpamWeary.foo> wrote:
R> Jens Thoms Toerring wrote:
>>
>> for i in `ls -a /home/*/.forward`; do rm $i; done
>>
R> Isn't that the same as
R> rm home/*/.forward
Thay are both bad solutions when there are enough users to run over the
command line limits. Perl would actually be a decent choice here,
unless you're sure you trust `find' to do the right thing. I would
never remove files from a user directory with any kind of automated
script, personally.
cfengine has specific facilities to do this, and would be my first
recommendation if it's an option. One of the big benefits in this case
is that the policy can be set by the administrator:
'remove $(home)/.forward' (in the cfengine syntax this looks slightly different)
but a cfengine run can actually be triggered by less-privileged users,
even remotely. See http://cfengine.org for further details.
Ted
------------------------------
Date: Fri, 27 Jun 2008 22:58:45 +0100
From: Big and Blue <No_4@dsl.pipex.com>
Subject: Re: 'nobody' using sudo -- scary!
Message-Id: <f7mdnbDq25gL__jVnZ2dnUVZ8uadnZ2d@pipex.net>
RedGrittyBrick wrote:
> Jens Thoms Toerring wrote:
>>
>> for i in `ls -a /home/*/.forward`; do rm $i; done
>>
>
> Isn't that the same as
> rm home/*/.forward
Neither of which would necessarily work if /home were an automount
point, as "*" won't expand (and if it did, could have > 15000 matches in
at least one case I know of, which is why you wouldn't want it to expand).
The real question the OP should be asking himself is why such a task is
running as nobody anyway. It is not a task an anonymous account should
be doing at all. i.e. the answer is to start somewhere else, earlier in
the chain for a solution - by the time "nobody" is involved it's too late.
But it's definitely nothing to do with Perl.
--
Just because I've written it doesn't mean that
either you or I have to believe it.
------------------------------
Date: Fri, 27 Jun 2008 21:38:39 +0100
From: "John" <john1949@yahoo.com>
Subject: accuracy of Time::HiRes
Message-Id: <g43j4a$vt7$1@news.albasani.net>
Hi
use Time::HiRes qw (gettimeofday);
my ($secs,$milliseconds)=gettimeofday();
my $trans="$secs$milliseconds"; # 10 digits and 6 digits
Sometimes the length of $trans is 16 but sometimes it is 15.
Shouldn't it be 16 always?
Regards
John
------------------------------
Date: Fri, 27 Jun 2008 23:14:40 +0200
From: Anonymous coward <anonymous@cow.ard>
Subject: Re: accuracy of Time::HiRes
Message-Id: <bdb84$48655840$89e0e08f$8931@news1.tudelft.nl>
On Fri, 27 Jun 2008 21:38:39 +0100, John wrote:
> Hi
>
> use Time::HiRes qw (gettimeofday);
> my ($secs,$milliseconds)=gettimeofday(); my $trans="$secs$milliseconds";
> # 10 digits and 6 digits
>
> Sometimes the length of $trans is 16 but sometimes it is 15. Shouldn't
> it be 16 always?
>
> Regards
> John
The length of microseconds (not milliseconds) will be 5 digits one out of
ten times, because it's value is less than 100000 microseconds. In one
out of a hundred times it will be 4 digits, etc. If you rely on the
length of it, you should probably use sprintf.
Regards,
Leon Timmermans
------------------------------
Date: Fri, 27 Jun 2008 09:14:12 -0700 (PDT)
From: PugetSoundSylvia@gmail.com
Subject: Re: How to ensure I'm doing lwp with https correctly?
Message-Id: <68c61a36-5101-4c51-b7e2-0a7a0c69478e@s33g2000pri.googlegroups.com>
On Jun 23, 4:22=A0pm, "comp.llang.perl.moderated" <c...@blv-
sam-01.ca.boeing.com> wrote:
> On Jun 23, 11:29 am, PugetSoundSyl...@gmail.com wrote:
>
>
>
> > I'm usingLWPfor programatic access to a website. =A0I'm using https,
> > and have installed Crypt::SSLeay (hopefully correctly).
>
> > What I'd like to do is make sure that my https access is actually
> > correctly set up, and that I am accessing everything securely. =A0Any
> > ideas on how I can double-check that everything is happening
> > correctly? =A0Or is there something I can use to audit my connection?
> > If I didn't do the Crypt::SSLeay install correctly, would https access
> > just not work, or would it just default to http?
>
> If Crypt::SSLeay installed successfully
> and passed its test suite, you can be
> reasonably assured that SSL transactions
> occur. You can confirm actual details of the exchange by setting:
>
> =A0 =A0 $ENV{HTTPS_DEBUG} =3D 1
>
> before initiating the connection. See:
> perldoc Crypt::SSLeay.
>
> Also, if usingPerl'sLWPmodule, you
> can add:
>
> =A0 =A0 useLWP::Debug qw/+/
>
> for other details of the exchange>
> See perldocLWP::Debug for less
> verbose settings.
>
> Here's an example with HTTPS_DEBUG andLWP::Debug set:
>
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
>
> LWP::UserAgent::new: ()
> HTTP::Cookies::add_cookie_header: Checking ... for cookies
>
> LWP::UserAgent::send_request: GET https://....LWP::UserAgent::_need_proxy=
: Not proxied
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server key exchange A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server key exchange A
>
> --
> Charles DeRykus
Thanks Charles - your debug hints were very helpful. It looks like
the certificate isn't even checked when doing https UNLESS you have
the HTTPS_CA_DIR environment variable set. Then it checks (and in my
case it's failing with a bad certificate error as below)
LWP::UserAgent::new: ()
LWP::UserAgent::request: ()
LWP::UserAgent::send_request: GET https://xxxxxxxxxx.org/api/login.php?name=
=3Dxxxxxx&pass=3Dxxxxxx
LWP::UserAgent::_need_proxy: Not proxied
LWP::Protocol::http::request: ()
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:unknown CA
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:bad certificate
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv2 write client hello A
SSL_connect:error in SSLv2 read server hello A
LWP::UserAgent::request: Simple response: Internal Server Error
Error: 500 SSL negotiation failed:
Now I'm trying to fill the the gaps in my understanding of
certificates, which are pretty gaping.
Thanks again for your help.
Sylvia
------------------------------
Date: Fri, 27 Jun 2008 12:17:36 +0200
From: Gunnar Hjalmarsson <noreply@gunnar.cc>
Subject: Re: Simplest way (or module) to tweak query in CGI server-side validation
Message-Id: <6cjsu8F25jvptU1@mid.individual.net>
jerrykrinock@gmail.com wrote:
> On Jun 12, 7:37 pm, Gunnar Hjalmarsson <nore...@gunnar.cc> wrote:
>> Sounds like you don't want to just redirect, after all, but rather
>> submit a new query. The libwww-perl family of modules can do that; see
>> for instance LWP::UserAgent.
>
> Thank you, Gunnar. After playing with this for a couple weeks (not
> full-time), I decided that I ^really^do^ want a redirect, not to
> submit a new query. The reason is that I need the user to get a
> response from the site that I redirected to, not my redirecting/
> tweaking script. I could not find any function in LWP::UserAgent to
> do a redirect, so I used CGI.
>
> I have uploaded two "bonehead" scripts:
> "Redirector.pl" redirects to "QueryHandler.pl", using CGI's
> "redirect" function.
> "QueryHandler.pl echoes the query back to the user, using CGI's
> "Dump()" function.
>
> Result of Experiments:
>
> If you "go direct", entering into your web browser something like:
> http://sheepsystems.com/cgi-test/sales/QueryHandler.pl?name=Jerry&color=blue
> you get your query echoed back to you as expected.
>
> But if you try and do that through my redirect, entering
> http://sheepsystems.com/cgi-test/sales/Redirector.pl?name=Jerry&color=blue
> it gets redirected OK but you don't get your query pairs echoed back.
> This is because QueryHandler.pl does not get the query pairs. (I have
> also confirmed this by writing to a log file.)
>
> Is there any way to pass a query through a redirecting script, or am I
> expecting something that is fundamentally impossible?
<snip>
Try this variant of Redirector.pl:
#!/usr/bin/perl
use strict ;
use warnings ;
use CGI ;
use URI::Escape;
my $httpQuery = new CGI;
my $redirectURL =
"http://sheepsystems.com/cgi-test/sales/QueryHandler.pl" ;
addquery( $redirectURL );
print $httpQuery->redirect($redirectURL) ;
sub addquery {
my %params = $httpQuery->Vars;
# change the params to your liking
my %esc_params;
while ( my ($k, $v) = each %params ) {
$esc_params{ uri_escape($k) } = uri_escape($v);
}
my $query = join ';', map "$_=$esc_params{$_}", keys %esc_params;
$_[0] .= "?$query" if $query;
}
__END__
--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
------------------------------
Date: Fri, 27 Jun 2008 11:33:05 -0700 (PDT)
From: jerrykrinock@gmail.com
Subject: Re: Simplest way (or module) to tweak query in CGI server-side validation
Message-Id: <a400dacc-66e8-45fb-bb43-565f2f919117@56g2000hsm.googlegroups.com>
On Jun 27, 3:17 am, Gunnar Hjalmarsson <nore...@gunnar.cc> wrote:
> Try this variant of Redirector.pl:
Big thanks to Gunnar. Yes, it works. So, the query is ^not^
automatically carried through by CGI. I have to read in the query,
change as desired, then append it to the redirect URL, starting with
"?". Very simple!
One more thing, though. I believe that this GET request will serve my
purposes, but what if I needed to POST the parameters to the
redirect? I've read some indications that this may not be possible.
The only way I've ever seen a POST transmitted is to use an HTML
<form>. Is there a "bare metal" way to transmit a POST? In order to
^receive^ a POST from CGI using "bare metal", I know you can simply
read STDIN. By analogy, I tried to ^transmit^ a POST by simply
print()-ing out the "key1=value1;key2=value2" string before or after
print($cgi->redirect()), but that does not seem to work. I have
tested and verified that my QueryHandler.pl will handle POST as well
as GET requests from curl, but it does not echo any parameters when
handling a redirect from Redirect.pl, so modified to print() a POST.
Jerry
------------------------------
Date: 27 Jun 2008 21:19:46 GMT
From: xhoster@gmail.com
Subject: Re: Simplest way (or module) to tweak query in CGI server-side validation
Message-Id: <20080627171949.424$Fq@newsreader.com>
jerrykrinock@gmail.com wrote:
> On Jun 27, 3:17 am, Gunnar Hjalmarsson <nore...@gunnar.cc> wrote:
>
> > Try this variant of Redirector.pl:
>
> Big thanks to Gunnar. Yes, it works. So, the query is ^not^
> automatically carried through by CGI. I have to read in the query,
> change as desired, then append it to the redirect URL, starting with
> "?". Very simple!
>
> One more thing, though. I believe that this GET request will serve my
> purposes, but what if I needed to POST the parameters to the
> redirect? I've read some indications that this may not be possible.
You can direct the user's web-browser to submit to another CGI via GET by
writing it into the URL you are redirecting to. This mostly works because
it is just another URL, and the web browser probably doesn't know or care
it is for CGI. Obviously you would require more active support from the
browser in order to do this with a POST rather than than a GET. And the
browser is unlikely to provide this support, both because it is extra work
and for security reasons.
If the place you are redirecting too will accept a GET instead of a POST,
you could rewrite the POST to your site into the form of a GET for
redirecting. If the place you are redirecting to will not accept GET, or
the query string is too long to be in the form of a GET, that won't work.
What I've done in the past is use LWP to have my CGI post the POST to the
other site, and have the CGI receive the response and proxy it back to the
response back to the user (adding a BASE tag to it so links resolve
properly).
Xho
--
-------------------- http://NewsReader.Com/ --------------------
The costs of publication of this article were defrayed in part by the
payment of page charges. This article must therefore be hereby marked
advertisement in accordance with 18 U.S.C. Section 1734 solely to indicate
this fact.
------------------------------
Date: Fri, 27 Jun 2008 06:39:57 -0700 (PDT)
From: Ronny Mandal <ronnyma@math.uio.no>
Subject: Template Toolkit and USE
Message-Id: <13219de6-3507-41e5-94ec-5d26dd60d8f4@i76g2000hsf.googlegroups.com>
Hi!
I've installed the module URI from CPAN. This works perfectly on perl-
scripts, however when running tpage CLI it issues an error message,
e.g.
./test.tt:
[% USE URI %]
[ronny@pops]/home/ronny/development/tt(387): tpage test.tt
plugin error - URI: plugin not found
[ronny@pops]/home/ronny/development/tt(388):
Any suggestions? When dumping the @INC, URI.pm is contained in at
least one of the paths.
Regards,
Ronny Mandal
------------------------------
Date: Fri, 27 Jun 2008 17:12:12 +0100
From: Ben Morrow <ben@morrow.me.uk>
Subject: Re: Template Toolkit and USE
Message-Id: <s3gfj5-cr1.ln1@osiris.mauzo.dyndns.org>
Quoth Ronny Mandal <ronnyma@math.uio.no>:
>
> I've installed the module URI from CPAN. This works perfectly on perl-
> scripts, however when running tpage CLI it issues an error message,
> e.g.
>
> ./test.tt:
>
> [% USE URI %]
>
> [ronny@pops]/home/ronny/development/tt(387): tpage test.tt
> plugin error - URI: plugin not found
> [ronny@pops]/home/ronny/development/tt(388):
>
> Any suggestions? When dumping the @INC, URI.pm is contained in at
> least one of the paths.
If you are trying to load URI.pm itself as a plugin you will need to
specify LOAD_PERL => 1 in you template config.
Ben
--
Many users now operate their own computers day in and day out on various
applications without ever writing a program. Indeed, many of these users
cannot write new programs for their machines...
-- F.P. Brooks, 'No Silver Bullet', 1987 [ben@morrow.me.uk]
------------------------------
Date: Fri, 27 Jun 2008 10:08:40 -0700 (PDT)
From: Ronny Mandal <ronnyma@math.uio.no>
Subject: Re: Template Toolkit and USE
Message-Id: <370c3fde-315e-4158-bb0b-7a7e1148d10e@d45g2000hsc.googlegroups.com>
On Jun 27, 6:12 pm, Ben Morrow <b...@morrow.me.uk> wrote:
> Quoth Ronny Mandal <ronn...@math.uio.no>:
>
>
>
> > I've installed the module URI from CPAN. This works perfectly on perl-
> > scripts, however when running tpage CLI it issues an error message,
> > e.g.
>
> > ./test.tt:
>
> > [% USE URI %]
>
> > [ronny@pops]/home/ronny/development/tt(387): tpage test.tt
> > plugin error - URI: plugin not found
> > [ronny@pops]/home/ronny/development/tt(388):
>
> > Any suggestions? When dumping the @INC, URI.pm is contained in at
> > least one of the paths.
>
> If you are trying to load URI.pm itself as a plugin you will need to
> specify LOAD_PERL => 1 in you template config.
The system is obviously configured with that setting, I am able to
load
a phletora of modules, except the URI.pm.
Or are you saying that the URI.pm requires this setting, the others
not?
-Ronny
------------------------------
Date: Fri, 27 Jun 2008 18:50:07 +0100
From: Ben Morrow <ben@morrow.me.uk>
Subject: Re: Template Toolkit and USE
Message-Id: <erlfj5-vg7.ln1@osiris.mauzo.dyndns.org>
Quoth Ronny Mandal <ronnyma@math.uio.no>:
> On Jun 27, 6:12 pm, Ben Morrow <b...@morrow.me.uk> wrote:
> > Quoth Ronny Mandal <ronn...@math.uio.no>:
> >
> > > I've installed the module URI from CPAN. This works perfectly on perl-
> > > scripts, however when running tpage CLI it issues an error message,
> > > e.g.
> >
> > > ./test.tt:
> >
> > > [% USE URI %]
> >
> > > [ronny@pops]/home/ronny/development/tt(387): tpage test.tt
> > > plugin error - URI: plugin not found
> > > [ronny@pops]/home/ronny/development/tt(388):
> >
> > > Any suggestions? When dumping the @INC, URI.pm is contained in at
> > > least one of the paths.
> >
> > If you are trying to load URI.pm itself as a plugin you will need to
> > specify LOAD_PERL => 1 in you template config.
>
> The system is obviously configured with that setting, I am able to
> load
> a phletora of modules, except the URI.pm.
>
> Or are you saying that the URI.pm requires this setting, the others
> not?
I don't know. If you are having specific problems loading URI.pm, as
opposed to loading other non-TT modules as plugins, please post a
minimal complete program that demonstrates the problem.
Ben
--
We do not stop playing because we grow old;
we grow old because we stop playing.
ben@morrow.me.uk
------------------------------
Date: Fri, 27 Jun 2008 11:00:10 -0700 (PDT)
From: Thierry <lamthierry@gmail.com>
Subject: Using System to read mixed cased environment variables on Windows
Message-Id: <4cc7d7bc-8d6f-4cb6-87be-f3934727d902@j1g2000prb.googlegroups.com>
On Windows XP Pro 32 bit, if I want to output environment variables
PYTHON or ProgramFiles, I use the set command which output the
following:
C:\set PYTHON
PYTHON=C:\Python24\python.exe
C:\set ProgramFiles
ProgramFiles=C:\Program Files
If I used Perl 5.003_07 and use the system subroutine to show the
environment variables, I get the following. Perl script is:
system("set PYTHON");
system("set ProgramFiles");
Output is:
PYTHON=C:\Python24\python.exe
PROGRAMFILES=C:\Program Files
You'll notice that through system, the environment variable
ProgramFiles is all in upper case. Is there a way to preserve the
mixed case of the environment variable through system(...)?
------------------------------
Date: Fri, 27 Jun 2008 13:20:24 -0700 (PDT)
From: Ron Bergin <rkb@i.frys.com>
Subject: Re: Using System to read mixed cased environment variables on Windows
Message-Id: <408e092b-be9a-4568-8d0e-29b5dd532dbc@w1g2000prd.googlegroups.com>
On Jun 27, 10:00 am, Thierry <lamthie...@gmail.com> wrote:
> On Windows XP Pro 32 bit, if I want to output environment variables
> PYTHON or ProgramFiles, I use the set command which output the
> following:
>
> C:\set PYTHON
> PYTHON=C:\Python24\python.exe
> C:\set ProgramFiles
> ProgramFiles=C:\Program Files
>
> If I used Perl 5.003_07
That's a fairly old version. You should upgrade to at least 5.8
> and use the system subroutine to show the
> environment variables, I get the following. Perl script is:
>
> system("set PYTHON");
> system("set ProgramFiles");
>
There's no reason to use a system call. Your environment variables
are already stored in the %ENV hash.
print $ENV{'ProgramFiles'};
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
#The Perl-Users Digest is a retransmission of the USENET newsgroup
#comp.lang.perl.misc. For subscription or unsubscription requests, send
#the single line:
#
# subscribe perl-users
#or:
# unsubscribe perl-users
#
#to almanac@ruby.oce.orst.edu.
NOTE: due to the current flood of worm email banging on ruby, the smtp
server on ruby has been shut off until further notice.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
#To request back copies (available for a week or so), send your request
#to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
#where x is the volume number and y is the issue number.
#For other requests pertaining to the digest, send mail to
#perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
#sending perl questions to the -request address, I don't have time to
#answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V11 Issue 1676
***************************************
