Perl security question/RFC
Madison Kelly
linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Wed Jul 19 17:38:23 UTC 2006
Christopher Browne wrote:
> On 7/19/06, Madison Kelly <linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org> wrote:
>> Hi all,
>>
>> I decided a little while ago to start from scratch with my backup
>> program. The old code, which I learned to code by writing (so you can
>> imagine the horrors that lie in the source!). A benefit of this blank
>> slate is getting a chance to re-evaluate how things are done.
>>
>> So then, my question is, what is the most secure, *reasonable* way to
>> let a perl program execute commands as root?
>>
>> Simple enough, no? :p
>>
>> My current "best idea" is to use the trusty setuid C-wrapper to call
>> a perl script owned by root with 0500 permissions. I'd have the
>> unprivileged web-based perl script (run from a dedicated webserver) call
>> the setuid C-wrapper with a set of command line switches. Have those
>> command line switches passed on the the root-owned perl script which in
>> turn does dirty work (like un/mount devices and such).
>>
>> A few things I'll do:
>>
>> - Compile the full path to the root-owned perl script at install time.
>> - Have the root-owned perl script only execute certain commands under
>> certain conditions (ie: only un/mount partitions under a certain
>> directory).
>> - Set the C-wrapper to be owned by root:<dedicated_user> and have the
>> permissions 4550.
>>
>> Comments? Suggestions? Problems? Possible weaknesses?
>
> Look into "tainting" perl...
>
> http://www.cs.cmu.edu/People/rgs/pl-suid.html
>
> "When perl is executing a setuid script, it takes special precautions
> to prevent you from falling into any obvious traps. (In some ways, a
> perl script is more secure than the corresponding C program.) Any
> command line argument, environment variable, or input is marked as
> "tainted", and may not be used, directly or indirectly, in any command
> that invokes a subshell, or in any command that modifies files,
> directories or processes. Any variable that is set within an
> expression that has previously referenced a tainted value also becomes
> tainted (even if it is logically impossible for the tainted value to
> influence the variable). "
>
> See also the man page "perlsec"
I read the perlsec page, a good article! I'm still a bit confused though
on how to properly use it because my program deals with the underlying
system a lot (just means I need to study). I think I'd just need to
filter via regexs command line options to untaint them (make sure they
are legit) but I am no so sure yet on how to untaint system calls (like
mount).
FWIW, I am not using setuid perl scripts. Only the C-wrapper will be
setuid. :)
Madison
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list