Front page | perl.perl5.porters |
Postings from April 2008
Paul (S), I'm CC'ing you in case you'd care to comment. The full thread can
be found here:
http://groups.google.ca/group/perl.perl5.porters/browse_thread/thread/5c181925c0397071/fd5e8b57bed7eaa7
On Apr 29 2008, Nicholas Clark wrote:
> On Tue, Apr 29, 2008 at 12:03:40PM +1000, Paul Fenwick wrote:
> > But that's not what we're doing. If we're fully dropping privileges by
> > changing both our RUID and EUID, then late-acting taint doesn't activate.
> > If we're RUID root, and (temporarily) drop our EUID to another user, then
> > late-acting taint doesn't activate either.
> >
> > It's *only* in the rather odd situation that we didn't start in taint mode,
> > have changed our RUID to a non-root user, and our EUID (or EGID) doesn't
> > match that late-acting taint comes into effect.
>
> I don't think that you're right here, but testing wise, OS X sucks:
>
> # perl -le '$< = 1; print ${^TAINT}'
> setruid() not implemented at -e line 1.
On Linux:
# perl -Tle '$x=shift; $<=1; print ${^TAINT}; kill 0, $x' 1
1
Insecure dependency in kill while running setuid at -e line 1.
perl -le '$x=shift; $<=1; print ${^TAINT}; kill 0, $x' 1
1
> Anyway, by inspection of the code, I thought that some of your details are not
> correct. The C code is always
>
> PL_tainting |= (PL_uid && (PL_euid != PL_uid || PL_egid != PL_gid));
>
> so it never turns tainting off.
But the problem Paul F is pointing out is that it turns tainting on. I
think this line of code may be a hangover method of checking if we're
running suidperl which is why it is turning tainting on. Paul Szabo's
comment following it (along with some of his other comments) suggests
this. I think he put enough work into getting suidperl working properly
that this line isn't necessary anymore. It doesn't look like it. Maybe
we'll be lucky enough to get his opinion.
> If a Perl script changes its RUID and EUID it can't do it in one hit. It would
> have to write something like
>
> $< = $> = $id;
You can do it like this
($<, $>) = ($id,$id);
> > I'd love for late-acting taint to be considered deprecated, and will
> > cheerfully write a patch and tests if we reach this consensus.
>
> But this sounds more simple.
I think this would be better too because I think it's neater if tainting
is only turned on by -T or suidperl. But it goes against what perlsec
says and could really mess someone up who is relying on setting uid to
turn on taint.
--
Rick Delaney
rick@bort.ca
Thread Previous
|
Thread Next