Skip to main content.
home | support | download

Back to List Archive

[swish-e] Request for help: Getting swish.cgi to run without taint complaints

From: at <David>
Date: Tue, 10 Jan 2012 14:43:28 +0100

I run a small mailman site inside my company and had swish-e indexing 
correctly and searchable using swish.cgi for a while, but I believe a 
CentOS upgrade changed something (I believe).  I've been fighting to get 
it working again but without success.  Before I go entirely bald, I'm 
hoping someone here can point me at the obvious (and probably silly) 
thing I'm doing.

I've spent quite a while with My Friend Google and in the archives but 
not found any solution.

The first thing that I get in httpd's error.log is (oursite is really 
the FQDN of the site):

[Tue Jan 10 14:31:33 2012] [error] [client] 
/usr/lib/mailman/cgi-bin/swish.cgi aborted: Insecure $ENV{PATH} while 
running setgid at /usr/lib/mailman/cgi-bin/swish.cgi line 2133., 

I then went in and added the following in swish.cgi:

$ENV{PATH} = "/usr/local/bin:/bin:/usr/bin";
delete (at)not-real.ENV{ 'IFS', 'CDPATH', 'ENV', 'BASH_ENV' };

which changed the error to:

[Tue Jan 10 14:35:08 2012] [error] [client] 
/usr/lib/mailman/cgi-bin/swish.cgi aborted: Insecure dependency in exec 
while running setgid at /usr/lib/mailman/cgi-bin/swish.cgi line 2135., 

This is a bit beyond my perl skills, I'm afraid.  The line in question is:

         unless ( exec $self->{prog},  $self->swish_command_array ) {

in this chunk:

     if ( !$pid ) {  # in child
         unless ( exec $self->{prog},  $self->swish_command_array ) {
             warn "Child process Failed to exec '$self->{prog}' Error: $!";
             print "Failed to exec Swish";  # send this message to parent.
     } else {
         $self->{pid} = $pid;

The permissions in the appropriate directory are:
# pwd
# ls -l
total 756
-rwxr-sr-x 1 root mailman  12280 Mar 30  2011 admin
-rwxr-sr-x 1 root mailman  12288 Mar 30  2011 admindb
-rwxr-sr-x 1 root mailman  12288 Mar 30  2011 subscribe
-rwxr-sr-x 1 root mailman 108564 Jan 10 14:34 swish.cgi

and the mailman cgi scripts are working just fine.

I checked out the latest SVN version of and there's no 
change in this code from the latest stable version.

If I run the script as:

SWISH_DEBUG=basic ./swish.cgi >/tmp/outfile

the /tmp/output file looks good.  It points to the correct results.

I'd be grateful if someone can point me in the right direction so I can 
get this working correctly.


Users mailing list
Received on Tue Jan 10 2012 - 13:43:32 GMT