Perl security question/RFC

Rick Delaney rick-h4KjNK7Mzas at public.gmane.org
Wed Jul 19 21:02:26 UTC 2006


On Wed, Jul 19, 2006 at 05:56:10PM +0000, Christopher Browne wrote:
> On 7/19/06, Madison Kelly <linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org> wrote:
> >FWIW, I am not using setuid perl scripts. Only the C-wrapper will be
> >setuid. :)
> 
> It seems to me that you'd likely be better off using setuid Perl
> scripts, and eschewing the C wrapper.  That's likely to be better
> protection.

This is exactly backwards.  Setuid scripts are often not secure from the
start, and last I looked they're disabled on Linux because of that.  A C
wrapper is much better.  suidperl may be ok but it has had security holes
before and may again.  The Perl developers don't even stand behind it.

Anyway, you're much better off using sudo to control access to commands.
You should definitely run the perl script with tainting enabled to help
prevent you from passing bad args to the sudo commands.

-- 
Rick Delaney
rick-h4KjNK7Mzas at public.gmane.org
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list