Front page | perl.perl5.porters |
Postings from December 1999
From: Tom Christiansen
December 4, 1999 04:25
Message ID: 199912041224.FAA13255@jhereg.perl.com
>There's a small difference between being able to look at the memory contents
>(or crash dump) of a root program, and actually being able to make it do
>system calls which weren't in the original blueprints.
Well, yes--you're right. The difference is readability versus
writability. But being able to read things is still
rather powerful; see /dev/kmem. And you can't get coredumps
out of setuid program. If you can, your system has many
>The former kind of attack is useless against a program which doesn't _have_
>any security-critical information in its memory, for the very simple
>reason that it doesn't need it in the first place.
>If I had no problem with having sensitive information in programs which
>have no business reading it, I'd not need a shadow password file.
Don't you mean that if you had no problem with having sensitive
information in *files* which have no business being readable, I'd not
need a shadow password file? And isn't this different?
Seriously, this is the way BSD does it, and it really works out much
easier for the programmer this way. If you can convince their security
mavens that what you're afraid of does in fact constitute a clear
and present danger under the current set-up, then Perl should perhaps
begin to worry it, too. Possibly the easist way to do this would be to
take an existing program of theirs and show how it can be used to gain
Then again, if you do manage to get my password string, you're
still going to have an annoying problem:
DB<1> x getpwnam("tchrist")
6 'Tom Christiansen'
Good luck. :-)