develooper Front page | perl.perl5.porters | Postings from April 2008

Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT)

Thread Previous | Thread Next
Rick Delaney
April 29, 2008 17:48
Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT)
Message ID:
Paul (S), I'm CC'ing you in case you'd care to comment.  The full thread can
be found here:

On Apr 29 2008, Nicholas Clark wrote:
> On Tue, Apr 29, 2008 at 12:03:40PM +1000, Paul Fenwick wrote:
> > But that's not what we're doing.  If we're fully dropping privileges by 
> > changing both our RUID and EUID, then late-acting taint doesn't activate. 
> > If we're RUID root, and (temporarily) drop our EUID to another user, then 
> > late-acting taint doesn't activate either.
> > 
> > It's *only* in the rather odd situation that we didn't start in taint mode, 
> > have changed our RUID to a non-root user, and our EUID (or EGID) doesn't 
> > match that late-acting taint comes into effect.
> I don't think that you're right here, but testing wise, OS X sucks:
> # perl -le '$< = 1; print ${^TAINT}'
> setruid() not implemented at -e line 1.

On Linux:

    # perl -Tle '$x=shift; $<=1; print ${^TAINT}; kill 0, $x' 1
    Insecure dependency in kill while running setuid at -e line 1.
    perl -le '$x=shift; $<=1; print ${^TAINT}; kill 0, $x' 1

> Anyway, by inspection of the code, I thought that some of your details are not
> correct. The C code is always
> 	PL_tainting |= (PL_uid && (PL_euid != PL_uid || PL_egid != PL_gid));
> so it never turns tainting off.

But the problem Paul F is pointing out is that it turns tainting on.  I
think this line of code may be a hangover method of checking if we're
running suidperl which is why it is turning tainting on.  Paul Szabo's
comment following it (along with some of his other comments) suggests
this.  I think he put enough work into getting suidperl working properly
that this line isn't necessary anymore.  It doesn't look like it.  Maybe
we'll be lucky enough to get his opinion.

> If a Perl script changes its RUID and EUID it can't do it in one hit. It would
> have to write something like
>   $< = $> = $id;

You can do it like this

    ($<, $>) = ($id,$id);

> > I'd love for late-acting taint to be considered deprecated, and will 
> > cheerfully write a patch and tests if we reach this consensus.
> But this sounds more simple.

I think this would be better too because I think it's neater if tainting
is only turned on by -T or suidperl.  But it goes against what perlsec
says and could really mess someone up who is relying on setting uid to
turn on taint.

Rick Delaney

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About