tags:

views:

736

answers:

2
+2  Q: 

Python 2.6 subprocess.call() appears to be invoking setgid behavior triggering Perl's taint checks. How can I resolve?

I've got some strange behavioral differences between Python's subprocess.call() and os.system() that appears to be related to setgid. The difference is causing Perl's taint checks to be invoked when subprocess.call() is used, which creates problems because I do not have the ability to modify all the Perl scripts that would need untaint code added to them.

Example, "process.py"

#!/usr/bin/python

import os, subprocess

print "Python calling os.system"
os.system('perl subprocess.pl true')
print "Python done calling os.system"
print "Python calling subprocess.call"
subprocess.call(['perl', 'subprocess.pl', 'true'])
print "Python done calling subprocess.call"

"subprocess.pl"

#!/usr/bin/perl

print "perl subprocess\n";
`$ARGV[0]`;
print "perl subprocess done\n";

The output - both runs of subprocess.pl should be the same, but the one run with subprocess.call() gets a taint error:

mybox> process.py
Python calling os.system
perl subprocess
perl subprocess done
Python done calling os.system
Python calling subprocess.call
perl subprocess
Insecure dependency in `` while running setgid at subprocess.pl line 4.
Python done calling subprocess.call
mybox>

While using os.system() works, I would really rather be using subprocess.check_call() as it's more forward-compatible and has nice checking behaviors.

Any suggestions or documentation that might explain why these two are different? Is it possible this is some strange setting in my local unix environment that is invoking these behaviors?

A: 

Doesn't happen for me:

$ python proc.py
Python calling os.system
perl subprocess
perl subprocess done
Python done calling os.system
Python calling subprocess.call
perl subprocess
perl subprocess done
Python done calling subprocess.call

$ python --version
Python 2.5.2

$ perl --version
This is perl, v5.8.8 built for i486-linux-gnu-thread-multi

What are your version numbers?

Under what sort of account are you running?

EDIT:

Sorry missed the title - I don't have python 2.6 anywhere easy to access, so I'll have to leave this problem.

EDIT:

So it looks like we worked out the problem - sgid on the python 2.6 binary.

It would also be interesting to see if subprocess with the shell also avoids the problem.

Douglas Leeder  2009-06-02 17:13:47
Python 2.6.1 has the problem, 2.5.2 does not appear to have the problem (those are the versions I happen to have installed). The Perl version is a 5.8.5. I'm digging through the "What's new in Python" pages to try and find something related.
Mike Miller  2009-06-02 19:14:43
Also, I forgot to mention this is a SuSE 9 Linux install (with some tweaks and extra programs from my friendly Engineering Computing department)
Mike Miller  2009-06-02 19:18:15
+1  A: 

I think your error is with perl, or the way it's interacting with your environment. Your backtick process is calling setgid for some reason. The only way I can replicate this, is to setgid on /usr/bin/perl (-rwxr-sr-x). [EDIT] Having python setgid does this too!

[EDIT] I forgot that os.system is working for you. I think the only relevant difference here, is that with os.system the environment is not inherited by the subprocess. Look through the environment of each subprocess, and you may find your culprit.

JimB  2009-06-02 18:45:03
Interesting that you were able to reproduce it that way. I just discovered that if I switch Python to the 2.5.2 that I have installed, the problem goes away. I checked my Perl binary and it does not have the setgid bit set on it. It might be something wrong with the Python install.
Mike Miller  2009-06-02 19:18:31
Ah! the setgid bit is set on the 2.6.1 Python binary! Unexpected, but hopefully I can get the sysadmin to fix that and make the problem go away.
Mike Miller  2009-06-02 19:34:54
HA - I just tried that combo, but you beat me to it ;)
JimB  2009-06-02 19:36:58
That fixed the problem. Thanks so much for your help!
Mike Miller  2009-06-02 21:46:05

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python