Perl security question/RFC
Christopher Browne
cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Wed Jul 19 17:30:30 UTC 2006
On 7/19/06, Madison Kelly <linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org> wrote:
> Hi all,
>
> I decided a little while ago to start from scratch with my backup
> program. The old code, which I learned to code by writing (so you can
> imagine the horrors that lie in the source!). A benefit of this blank
> slate is getting a chance to re-evaluate how things are done.
>
> So then, my question is, what is the most secure, *reasonable* way to
> let a perl program execute commands as root?
>
> Simple enough, no? :p
>
> My current "best idea" is to use the trusty setuid C-wrapper to call
> a perl script owned by root with 0500 permissions. I'd have the
> unprivileged web-based perl script (run from a dedicated webserver) call
> the setuid C-wrapper with a set of command line switches. Have those
> command line switches passed on the the root-owned perl script which in
> turn does dirty work (like un/mount devices and such).
>
> A few things I'll do:
>
> - Compile the full path to the root-owned perl script at install time.
> - Have the root-owned perl script only execute certain commands under
> certain conditions (ie: only un/mount partitions under a certain directory).
> - Set the C-wrapper to be owned by root:<dedicated_user> and have the
> permissions 4550.
>
> Comments? Suggestions? Problems? Possible weaknesses?
Look into "tainting" perl...
http://www.cs.cmu.edu/People/rgs/pl-suid.html
"When perl is executing a setuid script, it takes special precautions
to prevent you from falling into any obvious traps. (In some ways, a
perl script is more secure than the corresponding C program.) Any
command line argument, environment variable, or input is marked as
"tainted", and may not be used, directly or indirectly, in any command
that invokes a subshell, or in any command that modifies files,
directories or processes. Any variable that is set within an
expression that has previously referenced a tainted value also becomes
tainted (even if it is logically impossible for the tainted value to
influence the variable). "
See also the man page "perlsec"
--
http://www3.sympatico.ca/cbbrowne/linux.html
Oddly enough, this is completely standard behaviour for shells. This
is a roundabout way of saying `don't use combined chains of `&&'s and
`||'s unless you think Gödel's theorem is for sissies'.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list