diff options
author | Perl 5 Porters <perl5-porters@africa.nicoh.com> | 1997-09-05 00:00:00 +0000 |
---|---|---|
committer | Tim Bunce <Tim.Bunce@ig.co.uk> | 1997-09-05 00:00:00 +0000 |
commit | fb73857aa0bfa8ed43d4d2f972c564c70a57e0c4 (patch) | |
tree | 97d2a45b0611b7b171257c2bc54d6532de48ff7f /pod/perlsec.pod | |
parent | 464ed3b648d262825ad1bfc5a2e55de2507fd651 (diff) | |
parent | 62b753c6ae4ab9bf22fbb6ec7ceac820bcef8fe4 (diff) | |
download | perl-fb73857aa0bfa8ed43d4d2f972c564c70a57e0c4.tar.gz |
[inseparable changes from patch to perl 5.004_04]perl-5.004_04
[editor's note: this one imported like a charm!]
TESTS -
Subject: Improve pragma/locale test 102 - and don't fail, just warn
From: Jarkko Hietaniemi <jhi@anna.in-berlin.de>
Files: t/pragma/locale.t
Subject: Invalid test output in t/op/taint.t in trial 1
From: Dan Sugalski <sugalsd@lbcc.cc.or.us>
Files: t/op/taint.t
t/op/taint.t prints out invalid ok messages for tests it skips.
Rather than printing "ok 136" it prints "136 ok".
p5p-msgid: 3.0.3.32.19970919160918.00857a50@stargate.lbcc.cc.or.us
UTILITIES -
Subject: Perldoc tiny patch to avoid $0
From: Ilya Zakharevich <ilya@math.ohio-state.edu>
Files: utils/perldoc.PL
Msg-ID: 199709122141.RAA16846@monk.mps.ohio-state.edu
(applied based on p5p patch as commit 0b166b6635cf199f072db516b2a523ee659394d5)
Subject: h2ph broken in 5.004_02
From: David Mazieres <dm@reeducation-labor.lcs.mit.edu>
Files: utils/h2ph.PL
Msg-ID: 199708201700.KAA02621@www.chapin.edu
(applied based on p5p patch as commit 4a8e146e38ec2045f1f817a7cb578e1b1f80f39f)
Subject: add key_t caddr_t to h2ph
From: Tony Sanders <sanders@bsdi.com>
Files: eg/sysvipc/ipcsem utils/h2ph.PL
Msg-ID: 199708272301.RAA12803@austin.bsdi.com
(applied based on p5p patch as commit 0806a92ffc3a74ca70aa81051cdf2a306cd0a8af)
Subject: perldoc search ., lib and blib/* if -f 'Makefile.PL'
From: Tim Bunce <Tim.Bunce@ig.co.uk>
Files: utils/perldoc.PL
Subject: perldoc finds wrong pod2man
(from perldoc source)
# We must look both in @INC for library modules and in PATH
# for executables, like h2xs or perldoc itself.
Unfortunately, searching PATH for installed perl executables like
pod2man is INCORRECT. perldoc should start by searching the
directory it was executed from, which might not be in the PATH
at all.
Credited: Joseph "Moof-in'" Hall <joseph@cscaper.com>
p5p-msgid: 199708251732.KAA19299@gadget.cscaper.com
Subject: 5.004m4t1: perlbug: NIS domainname gets into wrong places
From: Andreas J. Koenig <koenig@anna.mind.de>
Files: utils/perlbug.PL
Msg-ID: sfcg1qy38as.fsf@anna.in-berlin.de
(applied based on p5p patch as commit 41f926b844140b7f7eaa9302113e45df3a9f9ff4)
Subject: add better local patch info to perlbug
From: Tim Bunce <Tim.Bunce@ig.co.uk>
Files: utils/perlbug.PL
Subject: perldoc - suggest modules if requested module not found
From: Anthony David <adavid@netinfo.com.au>
Files: utils/perldoc.PL
private-msgid: 3439CD83.6969@netinfo.com.au
Subject: perldoc mail::foo tries to read binary /usr/ucb/mail
From: Tim Bunce <Tim.Bunce@ig.co.uk>
Files: utils/perldoc.PL
Subject: perldoc weirdness
perldoc mail::imap yields:
{joseph}:79% perldoc mail::foo
can't open /usr/ucb/mail: Permission denied at ./pod2man line 362.
Credited: Joseph "Moof-in'" Hall <joseph@cscaper.com>
p5p-msgid: 199710082014.NAA00808@gadget.cscaper.com
Subject: perldoc -f setpwent (for example) returns no descriptive text
From: Tim Bunce <Tim.Bunce@ig.co.uk>
Files: utils/perldoc.PL
Subject: perldoc diffs: don't search auto - much faster
From: "Joseph N. Hall" <joseph@5sigma.com>
Files: utils/perldoc.PL
Msg-ID: MailDrop1.2d7dPPC.971012211957@screechy.cscaper.com
(applied based on p5p patch as commit 62b753c6ae4ab9bf22fbb6ec7ceac820bcef8fe4)
Diffstat (limited to 'pod/perlsec.pod')
-rw-r--r-- | pod/perlsec.pod | 70 |
1 files changed, 40 insertions, 30 deletions
diff --git a/pod/perlsec.pod b/pod/perlsec.pod index 1a1ae21e81..73884790b0 100644 --- a/pod/perlsec.pod +++ b/pod/perlsec.pod @@ -18,25 +18,28 @@ user or group IDs. The setuid bit in Unix permissions is mode 04000, the setgid bit mode 02000; either or both may be set. You can also enable taint mode explicitly by using the B<-T> command line flag. This flag is I<strongly> suggested for server programs and any program run on behalf of -someone else, such as a CGI script. +someone else, such as a CGI script. Once taint mode is on, it's on for +the remainder of your script. While in this mode, Perl takes special precautions called I<taint checks> to prevent both obvious and subtle traps. Some of these checks are reasonably simple, such as verifying that path directories aren't writable by others; careful programmers have always used checks like these. Other checks, however, are best supported by the language itself, -and it is these checks especially that contribute to making a setuid Perl +and it is these checks especially that contribute to making a set-id Perl program more secure than the corresponding C program. -You may not use data derived from outside your program to affect something -else outside your program--at least, not by accident. All command line -arguments, environment variables, locale information (see L<perllocale>), -and file input are marked as "tainted". Tainted data may not be used -directly or indirectly in any command that invokes a sub-shell, nor in any -command that modifies files, directories, or processes. Any variable set -within an expression that has previously referenced a tainted value itself -becomes tainted, even if it is logically impossible for the tainted value -to influence the variable. Because taintedness is associated with each +You may not use data derived from outside your program to affect +something else outside your program--at least, not by accident. All +command line arguments, environment variables, locale information (see +L<perllocale>), results of certain system calls (readdir, readlink, +the gecos field of getpw* calls), and all file input are marked as +"tainted". Tainted data may not be used directly or indirectly in any +command that invokes a sub-shell, nor in any command that modifies +files, directories, or processes. Any variable set +to a value derived from tainted data will itself be tainted, +even if it is logically impossible for the tainted data +to alter the variable. Because taintedness is associated with each scalar value, some elements of an array can be tainted and others not. For example: @@ -90,8 +93,9 @@ doing something like the last example above. =head2 Laundering and Detecting Tainted Data To test whether a variable contains tainted data, and whose use would thus -trigger an "Insecure dependency" message, you can use the following -I<is_tainted()> function. +trigger an "Insecure dependency" message, check your nearby CPAN mirror +for the F<Taint.pm> module, which should become available around November +1997. Or you may be able to use the following I<is_tainted()> function. sub is_tainted { return ! eval { @@ -172,8 +176,8 @@ makes sure you set the PATH. It's also possible to get into trouble with other operations that don't care whether they use tainted values. Make judicious use of the file tests in dealing with any user-supplied filenames. When possible, do -opens and such after setting C<$E<gt> = $E<lt>>. (Remember group IDs, -too!) Perl doesn't prevent you from opening tainted filenames for reading, +opens and such B<after> properly dropping any special user (or group!) +privileges. Perl doesn't prevent you from opening tainted filenames for reading, so be careful what you print out. The tainting mechanism is intended to prevent stupid mistakes, not to remove the need for thought. @@ -199,30 +203,36 @@ doing something it shouldn't. Here's a way to do backticks reasonably safely. Notice how the B<exec> is not called with a string that the shell could expand. This is by far the best way to call something that might be subjected to shell escapes: just -never call the shell at all. By the time we get to the B<exec>, tainting -is turned off, however, so be careful what you call and what you pass it. +never call the shell at all. use English; - die unless defined $pid = open(KID, "-|"); + die "Can't fork: $!" unless defined $pid = open(KID, "-|"); if ($pid) { # parent while (<KID>) { # do something } close KID; } else { + my @temp = ($EUID, $EGID); $EUID = $UID; $EGID = $GID; # XXX: initgroups() not called + # Make sure privs are really gone + ($EUID, $EGID) = @temp; + die "Can't drop privileges" unless + $UID == $EUID and + $GID eq $EGID; # String test $ENV{PATH} = "/bin:/usr/bin"; - exec 'myprog', 'arg1', 'arg2'; + exec 'myprog', 'arg1', 'arg2' or die "can't exec myprog: $!"; } -A similar strategy would work for wildcard expansion via C<glob>. +A similar strategy would work for wildcard expansion via C<glob>, although +you can use C<readdir> instead. Taint checking is most useful when although you trust yourself not to have written a program to give away the farm, you don't necessarily trust those who end up using it not to try to trick it into doing something bad. This -is the kind of security checking that's useful for setuid programs and +is the kind of security checking that's useful for set-id programs and programs launched on someone else's behalf, like CGI programs. This is quite different, however, from not even trusting the writer of the @@ -236,28 +246,28 @@ are trapped and namespace access is carefully controlled. =head2 Security Bugs Beyond the obvious problems that stem from giving special privileges to -systems as flexible as scripts, on many versions of Unix, setuid scripts +systems as flexible as scripts, on many versions of Unix, set-id scripts are inherently insecure right from the start. The problem is a race condition in the kernel. Between the time the kernel opens the file to -see which interpreter to run and when the (now-setuid) interpreter turns +see which interpreter to run and when the (now-set-id) interpreter turns around and reopens the file to interpret it, the file in question may have changed, especially if you have symbolic links on your system. Fortunately, sometimes this kernel "feature" can be disabled. Unfortunately, there are two ways to disable it. The system can simply -outlaw scripts with the setuid bit set, which doesn't help much. -Alternately, it can simply ignore the setuid bit on scripts. If the +outlaw scripts with any set-id bit set, which doesn't help much. +Alternately, it can simply ignore the set-id bits on scripts. If the latter is true, Perl can emulate the setuid and setgid mechanism when it notices the otherwise useless setuid/gid bits on Perl scripts. It does this via a special executable called B<suidperl> that is automatically invoked for you if it's needed. -However, if the kernel setuid script feature isn't disabled, Perl will -complain loudly that your setuid script is insecure. You'll need to -either disable the kernel setuid script feature, or put a C wrapper around +However, if the kernel set-id script feature isn't disabled, Perl will +complain loudly that your set-id script is insecure. You'll need to +either disable the kernel set-id script feature, or put a C wrapper around the script. A C wrapper is just a compiled program that does nothing except call your Perl program. Compiled programs are not subject to the -kernel bug that plagues setuid scripts. Here's a simple wrapper, written +kernel bug that plagues set-id scripts. Here's a simple wrapper, written in C: #define REAL_PATH "/path/to/script" @@ -278,7 +288,7 @@ for each of them. In recent years, vendors have begun to supply systems free of this inherent security bug. On such systems, when the kernel passes the name -of the setuid script to open to the interpreter, rather than using a +of the set-id script to open to the interpreter, rather than using a pathname subject to meddling, it instead passes I</dev/fd/3>. This is a special file already opened on the script, so that there can be no race condition for evil scripts to exploit. On these systems, Perl should be |