summaryrefslogtreecommitdiff
path: root/pod/perlsec.pod
diff options
context:
space:
mode:
authorPerl 5 Porters <perl5-porters@africa.nicoh.com>1997-09-05 00:00:00 +0000
committerTim Bunce <Tim.Bunce@ig.co.uk>1997-09-05 00:00:00 +0000
commitfb73857aa0bfa8ed43d4d2f972c564c70a57e0c4 (patch)
tree97d2a45b0611b7b171257c2bc54d6532de48ff7f /pod/perlsec.pod
parent464ed3b648d262825ad1bfc5a2e55de2507fd651 (diff)
parent62b753c6ae4ab9bf22fbb6ec7ceac820bcef8fe4 (diff)
downloadperl-fb73857aa0bfa8ed43d4d2f972c564c70a57e0c4.tar.gz
[inseparable changes from patch to perl 5.004_04]perl-5.004_04
[editor's note: this one imported like a charm!] TESTS - Subject: Improve pragma/locale test 102 - and don't fail, just warn From: Jarkko Hietaniemi <jhi@anna.in-berlin.de> Files: t/pragma/locale.t Subject: Invalid test output in t/op/taint.t in trial 1 From: Dan Sugalski <sugalsd@lbcc.cc.or.us> Files: t/op/taint.t t/op/taint.t prints out invalid ok messages for tests it skips. Rather than printing "ok 136" it prints "136 ok". p5p-msgid: 3.0.3.32.19970919160918.00857a50@stargate.lbcc.cc.or.us UTILITIES - Subject: Perldoc tiny patch to avoid $0 From: Ilya Zakharevich <ilya@math.ohio-state.edu> Files: utils/perldoc.PL Msg-ID: 199709122141.RAA16846@monk.mps.ohio-state.edu (applied based on p5p patch as commit 0b166b6635cf199f072db516b2a523ee659394d5) Subject: h2ph broken in 5.004_02 From: David Mazieres <dm@reeducation-labor.lcs.mit.edu> Files: utils/h2ph.PL Msg-ID: 199708201700.KAA02621@www.chapin.edu (applied based on p5p patch as commit 4a8e146e38ec2045f1f817a7cb578e1b1f80f39f) Subject: add key_t caddr_t to h2ph From: Tony Sanders <sanders@bsdi.com> Files: eg/sysvipc/ipcsem utils/h2ph.PL Msg-ID: 199708272301.RAA12803@austin.bsdi.com (applied based on p5p patch as commit 0806a92ffc3a74ca70aa81051cdf2a306cd0a8af) Subject: perldoc search ., lib and blib/* if -f 'Makefile.PL' From: Tim Bunce <Tim.Bunce@ig.co.uk> Files: utils/perldoc.PL Subject: perldoc finds wrong pod2man (from perldoc source) # We must look both in @INC for library modules and in PATH # for executables, like h2xs or perldoc itself. Unfortunately, searching PATH for installed perl executables like pod2man is INCORRECT. perldoc should start by searching the directory it was executed from, which might not be in the PATH at all. Credited: Joseph "Moof-in'" Hall <joseph@cscaper.com> p5p-msgid: 199708251732.KAA19299@gadget.cscaper.com Subject: 5.004m4t1: perlbug: NIS domainname gets into wrong places From: Andreas J. Koenig <koenig@anna.mind.de> Files: utils/perlbug.PL Msg-ID: sfcg1qy38as.fsf@anna.in-berlin.de (applied based on p5p patch as commit 41f926b844140b7f7eaa9302113e45df3a9f9ff4) Subject: add better local patch info to perlbug From: Tim Bunce <Tim.Bunce@ig.co.uk> Files: utils/perlbug.PL Subject: perldoc - suggest modules if requested module not found From: Anthony David <adavid@netinfo.com.au> Files: utils/perldoc.PL private-msgid: 3439CD83.6969@netinfo.com.au Subject: perldoc mail::foo tries to read binary /usr/ucb/mail From: Tim Bunce <Tim.Bunce@ig.co.uk> Files: utils/perldoc.PL Subject: perldoc weirdness perldoc mail::imap yields: {joseph}:79% perldoc mail::foo can't open /usr/ucb/mail: Permission denied at ./pod2man line 362. Credited: Joseph "Moof-in'" Hall <joseph@cscaper.com> p5p-msgid: 199710082014.NAA00808@gadget.cscaper.com Subject: perldoc -f setpwent (for example) returns no descriptive text From: Tim Bunce <Tim.Bunce@ig.co.uk> Files: utils/perldoc.PL Subject: perldoc diffs: don't search auto - much faster From: "Joseph N. Hall" <joseph@5sigma.com> Files: utils/perldoc.PL Msg-ID: MailDrop1.2d7dPPC.971012211957@screechy.cscaper.com (applied based on p5p patch as commit 62b753c6ae4ab9bf22fbb6ec7ceac820bcef8fe4)
Diffstat (limited to 'pod/perlsec.pod')
-rw-r--r--pod/perlsec.pod70
1 files changed, 40 insertions, 30 deletions
diff --git a/pod/perlsec.pod b/pod/perlsec.pod
index 1a1ae21e81..73884790b0 100644
--- a/pod/perlsec.pod
+++ b/pod/perlsec.pod
@@ -18,25 +18,28 @@ user or group IDs. The setuid bit in Unix permissions is mode 04000, the
setgid bit mode 02000; either or both may be set. You can also enable taint
mode explicitly by using the B<-T> command line flag. This flag is
I<strongly> suggested for server programs and any program run on behalf of
-someone else, such as a CGI script.
+someone else, such as a CGI script. Once taint mode is on, it's on for
+the remainder of your script.
While in this mode, Perl takes special precautions called I<taint
checks> to prevent both obvious and subtle traps. Some of these checks
are reasonably simple, such as verifying that path directories aren't
writable by others; careful programmers have always used checks like
these. Other checks, however, are best supported by the language itself,
-and it is these checks especially that contribute to making a setuid Perl
+and it is these checks especially that contribute to making a set-id Perl
program more secure than the corresponding C program.
-You may not use data derived from outside your program to affect something
-else outside your program--at least, not by accident. All command line
-arguments, environment variables, locale information (see L<perllocale>),
-and file input are marked as "tainted". Tainted data may not be used
-directly or indirectly in any command that invokes a sub-shell, nor in any
-command that modifies files, directories, or processes. Any variable set
-within an expression that has previously referenced a tainted value itself
-becomes tainted, even if it is logically impossible for the tainted value
-to influence the variable. Because taintedness is associated with each
+You may not use data derived from outside your program to affect
+something else outside your program--at least, not by accident. All
+command line arguments, environment variables, locale information (see
+L<perllocale>), results of certain system calls (readdir, readlink,
+the gecos field of getpw* calls), and all file input are marked as
+"tainted". Tainted data may not be used directly or indirectly in any
+command that invokes a sub-shell, nor in any command that modifies
+files, directories, or processes. Any variable set
+to a value derived from tainted data will itself be tainted,
+even if it is logically impossible for the tainted data
+to alter the variable. Because taintedness is associated with each
scalar value, some elements of an array can be tainted and others not.
For example:
@@ -90,8 +93,9 @@ doing something like the last example above.
=head2 Laundering and Detecting Tainted Data
To test whether a variable contains tainted data, and whose use would thus
-trigger an "Insecure dependency" message, you can use the following
-I<is_tainted()> function.
+trigger an "Insecure dependency" message, check your nearby CPAN mirror
+for the F<Taint.pm> module, which should become available around November
+1997. Or you may be able to use the following I<is_tainted()> function.
sub is_tainted {
return ! eval {
@@ -172,8 +176,8 @@ makes sure you set the PATH.
It's also possible to get into trouble with other operations that don't
care whether they use tainted values. Make judicious use of the file
tests in dealing with any user-supplied filenames. When possible, do
-opens and such after setting C<$E<gt> = $E<lt>>. (Remember group IDs,
-too!) Perl doesn't prevent you from opening tainted filenames for reading,
+opens and such B<after> properly dropping any special user (or group!)
+privileges. Perl doesn't prevent you from opening tainted filenames for reading,
so be careful what you print out. The tainting mechanism is intended to
prevent stupid mistakes, not to remove the need for thought.
@@ -199,30 +203,36 @@ doing something it shouldn't.
Here's a way to do backticks reasonably safely. Notice how the B<exec> is
not called with a string that the shell could expand. This is by far the
best way to call something that might be subjected to shell escapes: just
-never call the shell at all. By the time we get to the B<exec>, tainting
-is turned off, however, so be careful what you call and what you pass it.
+never call the shell at all.
use English;
- die unless defined $pid = open(KID, "-|");
+ die "Can't fork: $!" unless defined $pid = open(KID, "-|");
if ($pid) { # parent
while (<KID>) {
# do something
}
close KID;
} else {
+ my @temp = ($EUID, $EGID);
$EUID = $UID;
$EGID = $GID; # XXX: initgroups() not called
+ # Make sure privs are really gone
+ ($EUID, $EGID) = @temp;
+ die "Can't drop privileges" unless
+ $UID == $EUID and
+ $GID eq $EGID; # String test
$ENV{PATH} = "/bin:/usr/bin";
- exec 'myprog', 'arg1', 'arg2';
+ exec 'myprog', 'arg1', 'arg2' or
die "can't exec myprog: $!";
}
-A similar strategy would work for wildcard expansion via C<glob>.
+A similar strategy would work for wildcard expansion via C<glob>, although
+you can use C<readdir> instead.
Taint checking is most useful when although you trust yourself not to have
written a program to give away the farm, you don't necessarily trust those
who end up using it not to try to trick it into doing something bad. This
-is the kind of security checking that's useful for setuid programs and
+is the kind of security checking that's useful for set-id programs and
programs launched on someone else's behalf, like CGI programs.
This is quite different, however, from not even trusting the writer of the
@@ -236,28 +246,28 @@ are trapped and namespace access is carefully controlled.
=head2 Security Bugs
Beyond the obvious problems that stem from giving special privileges to
-systems as flexible as scripts, on many versions of Unix, setuid scripts
+systems as flexible as scripts, on many versions of Unix, set-id scripts
are inherently insecure right from the start. The problem is a race
condition in the kernel. Between the time the kernel opens the file to
-see which interpreter to run and when the (now-setuid) interpreter turns
+see which interpreter to run and when the (now-set-id) interpreter turns
around and reopens the file to interpret it, the file in question may have
changed, especially if you have symbolic links on your system.
Fortunately, sometimes this kernel "feature" can be disabled.
Unfortunately, there are two ways to disable it. The system can simply
-outlaw scripts with the setuid bit set, which doesn't help much.
-Alternately, it can simply ignore the setuid bit on scripts. If the
+outlaw scripts with any set-id bit set, which doesn't help much.
+Alternately, it can simply ignore the set-id bits on scripts. If the
latter is true, Perl can emulate the setuid and setgid mechanism when it
notices the otherwise useless setuid/gid bits on Perl scripts. It does
this via a special executable called B<suidperl> that is automatically
invoked for you if it's needed.
-However, if the kernel setuid script feature isn't disabled, Perl will
-complain loudly that your setuid script is insecure. You'll need to
-either disable the kernel setuid script feature, or put a C wrapper around
+However, if the kernel set-id script feature isn't disabled, Perl will
+complain loudly that your set-id script is insecure. You'll need to
+either disable the kernel set-id script feature, or put a C wrapper around
the script. A C wrapper is just a compiled program that does nothing
except call your Perl program. Compiled programs are not subject to the
-kernel bug that plagues setuid scripts. Here's a simple wrapper, written
+kernel bug that plagues set-id scripts. Here's a simple wrapper, written
in C:
#define REAL_PATH "/path/to/script"
@@ -278,7 +288,7 @@ for each of them.
In recent years, vendors have begun to supply systems free of this
inherent security bug. On such systems, when the kernel passes the name
-of the setuid script to open to the interpreter, rather than using a
+of the set-id script to open to the interpreter, rather than using a
pathname subject to meddling, it instead passes I</dev/fd/3>. This is a
special file already opened on the script, so that there can be no race
condition for evil scripts to exploit. On these systems, Perl should be