The Linux Page

Insecure $ENV{PATH} ...

Perl protected mode

Today, I was trying to run psql from a program when I got this error:

Insecure $ENV{PATH} while running setuid at ...

At first, I thought that psql would be testing something about the user, but in fact, psql is a perl script that runs in secure mode. In other words, this applies to any tool written in perl when they use the -T command line option and potentially tainted variables are considered insecure.

The perl interpreter makes sure that the current user identifier is the same as the effective user identifier. When there is a mismatch, the interpreter breaks with that error.

In my case, my program is written in C and I could simply force the current user identifier to make everything work as expected:

unix_uid = geteuid();
setresuid(unix_uid, unix_uid, unix_uid);

That code gets the current effective user identifier and sets it in all the possible user identifiers available on Linux.

On an older operating system, you may need to use setuid() and some other similar functions.

After I added that call, the error disappeared.

If you are in control of the script, another solution is to set the PATH variable within your perl code (as mentioned by the anonymous commenter below). In other words:

PATH=/bin:/usr/bin

More information about the secure version of the perl interpreter.

Re: Insecure $ENV{PATH} ...

This is wrong. Perl has a -T flag that requires you to "untaint" any user data before using it. It also requires you to specifically set the ENV var PATH before using any relatively pathed external programs, in this case, "suid".
$ENV{PATH} = '/bin:/usr/bin';

is what's needed.