develooper Front page | perl.perl5.porters | Postings from May 2008

Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT)

Thread Previous | Thread Next
Paul Fenwick
May 5, 2008 22:19
Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT)
Message ID:
G'day everyone,

Apologies for the late response, for some reason I seem to get the most p5p
work done while in airports.

I said:

> I'd love for late-acting taint to be considered deprecated, and will 
> cheerfully write a patch and tests if we reach this consensus.

Rick agreed:

> I think this would be better too because I think it's neater if tainting 
> is only turned on by -T or suidperl.  But it goes against what perlsec 
> says and could really mess someone up who is relying on setting uid to 
> turn on taint.

I still maintain that relying upon changing uids to enable taint after our
program has started is a very odd situation, and so is going to mess up very
few people indeed.  If we give a deprecated warning, rather than removing
late-acting taint entirely, then it messes up less people still.

Paul Szabo stated:

> I do not think it is right to base taintedness on a comparison of UIDs:
> prevents legitimate use of perl constructs from within setuid programs
> (e.g. cannot do "perl -e 'stuff'" if a parent was setuid); and UID
> checks do not trigger when root is running a setuid root script, so his
> own test may be flawed. As commented, the UID checks should be changed
> to "am now or came from suidperl"; and the perlsec page changed
> accordingly.

If this is suggesting that we should be able to write a setuid program that
runs without taint being enabled automatically, then I'm afraid that I
disagree.  Let's consider the following program, which we'll call '':

	use strict;
	print "Hello World\n";

Now let's imagine it's running setuid, and taint-mode is not automatically
enabled.  I can own your machine with:

	PERL5LIB=/home/h4x0r/p5lib ./

The contents of /home/h4x0r/p5lib/ is left as an exercise for the

I don't know if this means I disagree with the bug comment in S_init_ids()
yet, since my plane is about to board and I don't have time to check when it

Nick had doubts with the current implementation:

> There's a bug even in the implementation as intended, I feel. If you set the
> EUID first, then the RUID (PL_uid) is still 0, so the expression is 0, and
> PL_tainting is unchanged.

And concluded with:

> [Deprecating late-acting taint] sounds more simple.

As such, I'm considering this to be a "general consensus" that late-acting
taint (only) is considered harmful, and should be deprecated.  I'll work on 
putting together test cases and a patch[2].


[1] If we have a setuid program that isn't running with taint, then we can
run "PERL5LIB=/home/h4x0r/p5lib" and potentially have
privileged code loading our own (evil) modules.

[2] Although my next batch of round tuits may not arrive until next week.

Paul Fenwick <> |
Director of Training                   | Ph:  +61 3 9354 6001
Perl Training Australia                | Fax: +61 3 9354 2681

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About