Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT)

On Tue, Apr 15, 2008 at 03:25:41PM +0100, Nicholas Clark wrote:
> On Tue, Apr 15, 2008 at 04:01:11PM +0200, Rafael Garcia-Suarez wrote:
> > On 15/04/2008, Paul Fenwick <pjf@perltraining.com.au> wrote:
> 
> > >  I still maintain that changing perl's tainting behaviour after it's already
> > > started is a bug, and breaks the fundamental design principles of taint.
> > 
> > Ditto.
> 
> It was introduced in 5.000 alpha 4
> 
> http://utsl.gen.nz/gitweb/?p=perl;a=commit;f=mg.c;h=463ee0b2acbd047c27e8b5393cdd8398881824c5

Before I forget, I asked Larry this on the Perl 6 call last week.
Foolishly I was too busy listening to the answer to make notes, so my notes
from which this is expanded were written after the call, and might be
incomplete. Larry is too interesting to listen to.

Specifically, IIRC, the intent was as follows:

If a program is in the position that it currently has euid == uid and
gid == egid, then it has to be running as root, not setuid root, so it's
already in a trusted position. (The perl interpreter doesn't default to
turning on -T if you're running as root)

So anything you had when you started the interpreter is already trusted
(%ENV, @ARGV, $^X), because whatever started perl was already in a position
to do anything it damn well pleased.

However, Larry's logic is, that if you drop privileges, then you're stating
that you now don't want the program to be running with the power of root.
Anything you open now should only be something that the lower privileged
user is capable of accessing. So you now specifically don't trust anything
(new) that the program did, such as not trusting the data from files that
opened post privilege drop. Stuff pre-privilege drop doesn't matter, because
it's (already) game over, hence why it doesn't matter that it's not tainted.
Hence why it's only necessary to worry about external data created post
privilege drop, and hence why only it needs to be tainted, and hence why
Larry designed it this way.

Nicholas Clark

• Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Bram
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Paul Fenwick
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Nicholas Clark
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Paul Fenwick
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Rafael Garcia-Suarez
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Nicholas Clark
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Nicholas Clark
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Paul Fenwick
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Nicholas Clark
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Paul Fenwick
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by David Landgren
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Paul Fenwick
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Rick Delaney
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Paul Szabo