Front page | perl.perl5.porters |
Postings from May 2008
G'day everyone, Apologies for the late response, for some reason I seem to get the most p5p work done while in airports. I said: > I'd love for late-acting taint to be considered deprecated, and will > cheerfully write a patch and tests if we reach this consensus. Rick agreed: > I think this would be better too because I think it's neater if tainting > is only turned on by -T or suidperl. But it goes against what perlsec > says and could really mess someone up who is relying on setting uid to > turn on taint. I still maintain that relying upon changing uids to enable taint after our program has started is a very odd situation, and so is going to mess up very few people indeed. If we give a deprecated warning, rather than removing late-acting taint entirely, then it messes up less people still. Paul Szabo stated: > I do not think it is right to base taintedness on a comparison of UIDs: > prevents legitimate use of perl constructs from within setuid programs > (e.g. cannot do "perl -e 'stuff'" if a parent was setuid); and UID > checks do not trigger when root is running a setuid root script, so his > own test may be flawed. As commented, the UID checks should be changed > to "am now or came from suidperl"; and the perlsec page changed > accordingly. If this is suggesting that we should be able to write a setuid program that runs without taint being enabled automatically, then I'm afraid that I disagree. Let's consider the following program, which we'll call 'hello.pl': use strict; print "Hello World\n"; Now let's imagine it's running setuid, and taint-mode is not automatically enabled. I can own your machine with: PERL5LIB=/home/h4x0r/p5lib ./hello.pl The contents of /home/h4x0r/p5lib/strict.pm is left as an exercise for the reader. I don't know if this means I disagree with the bug comment in S_init_ids() yet, since my plane is about to board and I don't have time to check when it runs. Nick had doubts with the current implementation: > There's a bug even in the implementation as intended, I feel. If you set the > EUID first, then the RUID (PL_uid) is still 0, so the expression is 0, and > PL_tainting is unchanged. And concluded with: > [Deprecating late-acting taint] sounds more simple. As such, I'm considering this to be a "general consensus" that late-acting taint (only) is considered harmful, and should be deprecated. I'll work on putting together test cases and a patch[2]. Paul [1] If we have a setuid program that isn't running with taint, then we can run "PERL5LIB=/home/h4x0r/p5lib your_setuid_prog.pl" and potentially have privileged code loading our own (evil) modules. [2] Although my next batch of round tuits may not arrive until next week. -- Paul Fenwick <pjf@perltraining.com.au> | http://perltraining.com.au/ Director of Training | Ph: +61 3 9354 6001 Perl Training Australia | Fax: +61 3 9354 2681Thread Previous | Thread Next